William A. Rowe, Jr.
Tue, 19 Aug 2008 20:22:13 -0700
Bill Barker wrote:
No, an un-escaped semicolon is a reserved character by RFC 2396, section 2.2. Since RFC 2616 section 3.2.1 uses 2396 as a reference, then an un-escaped semicolon isn't valid in a session-id. Of course the patch doesn't totally work since something like:http://www.myfirm.com/myapp;foo=bar/mycontext;user=me/mypage.jsp;jsessionid=xxyyzzis perfectly valid, and by 2396 section 3.3 should map to the same resource as:http://www.myfirm.com/myapp/mycontext/mypage.jsp(just that the resource can return different content depending on the params). Of course, Tomcat doesn't handle this case correctly either.
Just to be clear, the 2396 property foo=bar refers only to /myapp, and not specifically /myapp/mycontext and has no bearing on /myapp/mycontext/mypage.jsp. That's just a common Java misinterpretation, and the reason httpd server doesn't specifically support ';' syntax (which isn't to say it's not generally supported; /myapp is not /myapp;foo=bar). Unless you can clarify for us what the distinction between; http://www.myfirm.com/myapp;foo=bar/mycontext/mypage.jsp http://www.myfirm.com/myapp/mycontext;foo=bar/mypage.jsp http://www.myfirm.com/myapp/mycontext/mypage.jsp;foo=bar which might lead me to believe that folks implemented 2396 purposefully.