Dear Konstantin,
On further debugging, I found out the difference is seen between 6.0.32 (same
behavior as in 6.0.28 reported earlier) and 6.0.33 (same as in 7.0.54 reported
earlier ) I could not figure out which change ( as mentioned in link
https://tomcat.apache.org/tomcat-6.0-doc/changelog.html ) has caused this
difference.
Step to reproduce it?
1. Untar tomcat versions(Tomcat V6.0.32 and Tomcat V6.0.33)
2. Enable access log by uncommenting 'AccessLogValve' in conf/server.xml
as shown below
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="${catalina.base}/logs"
prefix="localhost_access_log." suffix=".txt" pattern="common"
resolveHosts="false"/>
3. Deploy a simple web application (login.jsp) in Tomcat.
// login.jsp in tomcat
<html>
<body>
<%
String str = request.getRequestURI();
System.out.println(str);
out.println(str);
%>
</body>
</html>
4. Start tomcat
5. Run client wget to execute the login.jsp
6. View access log file entry
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: Tuesday, July 21, 2015 5:32 PM
To: Tomcat Users List
Subject: Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why
there is different behaviour in Tomcat 6 and Tomcat 7
2015-07-21 14:38 GMT+03:00 Rahul Kumar Singh <rahul.si...@nectechnologies.in>:
> Hello Tomcat Team,
>
> “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL
> "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B"
> is not received in tomcat 6(V6.0.28) . It is received in tomcat 7(V7.0.54) .
> What is reason for the different behavior?
>
> I used WGET command to send same request to both version of tomcats. Access
> logs (logs/localhost_access_log.txt ) of both tomcat versions show the
> difference
>
>
> WGET REQUEST:
> wget "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B"
> .
>
>
> Observations:
> TOMCAT 7.0.54 ACCESS LOGS:
> 127.0.0.1 - - [21/Jul/2015:08:30:13 +0000] "GET
> /login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B HTTP/1.0" 200 1063
>
>
> -----Original Message-----
> From: Rahul Kumar Singh
> Sent: Tuesday, June 23, 2015 6:17 PM
> To: 'Tomcat Users List'
> Subject: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID.
>
> Hello Tomcat team,
>
> In Tomcat7.0.54 We have observe that Login URL is Appended with JSESSIONID
> parameter in our Web Application
> Example:
> /framework/login.action;jsessionid=098D3C84B56FF2A2A25E88E4F059A20B
>
> System Configuration (WINDOW7+IE-8)
>
> Due to this session authentication get failed.
>
1. Step by step recipe to reproduce your issue = ?
2. 6.0.28 is old. The current one is 6.0.44
3. http://tomcat.apache.org/security-6.html
CVE-2013-2067 ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
DISCLAIMER:
-----------------------------------------------------------------------------------------------------------------------
The contents of this e-mail and any attachment(s) are confidential and
intended
for the named recipient(s) only.
It shall not attach any liability on the originator or NEC or its
affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the
opinions of NEC or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is
strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. .
-----------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
