Dear Konstantin, On further debugging, I found out the difference is seen between 6.0.32 (same behavior as in 6.0.28 reported earlier) and 6.0.33 (same as in 7.0.54 reported earlier ) I could not figure out which change ( as mentioned in link https://tomcat.apache.org/tomcat-6.0-doc/changelog.html ) has caused this difference.
Step to reproduce it? 1. Untar tomcat versions(Tomcat V6.0.32 and Tomcat V6.0.33) 2. Enable access log by uncommenting 'AccessLogValve' in conf/server.xml as shown below <Valve className="org.apache.catalina.valves.AccessLogValve" directory="${catalina.base}/logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> 3. Deploy a simple web application (login.jsp) in Tomcat. // login.jsp in tomcat <html> <body> <% String str = request.getRequestURI(); System.out.println(str); out.println(str); %> </body> </html> 4. Start tomcat 5. Run client wget to execute the login.jsp 6. View access log file entry -----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Tuesday, July 21, 2015 5:32 PM To: Tomcat Users List Subject: Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7 2015-07-21 14:38 GMT+03:00 Rahul Kumar Singh <rahul.si...@nectechnologies.in>: > Hello Tomcat Team, > > “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL > "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > is not received in tomcat 6(V6.0.28) . It is received in tomcat 7(V7.0.54) . > What is reason for the different behavior? > > I used WGET command to send same request to both version of tomcats. Access > logs (logs/localhost_access_log.txt ) of both tomcat versions show the > difference > > > WGET REQUEST: > wget "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > . > > > Observations: > TOMCAT 7.0.54 ACCESS LOGS: > 127.0.0.1 - - [21/Jul/2015:08:30:13 +0000] "GET > /login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B HTTP/1.0" 200 1063 > > > -----Original Message----- > From: Rahul Kumar Singh > Sent: Tuesday, June 23, 2015 6:17 PM > To: 'Tomcat Users List' > Subject: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. > > Hello Tomcat team, > > In Tomcat7.0.54 We have observe that Login URL is Appended with JSESSIONID > parameter in our Web Application > Example: > /framework/login.action;jsessionid=098D3C84B56FF2A2A25E88E4F059A20B > > System Configuration (WINDOW7+IE-8) > > Due to this session authentication get failed. > 1. Step by step recipe to reproduce your issue = ? 2. 6.0.28 is old. The current one is 6.0.44 3. http://tomcat.apache.org/security-6.html CVE-2013-2067 ? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org DISCLAIMER: ----------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or NEC or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. . ----------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org