[
https://issues.apache.org/jira/browse/OFBIZ-4785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sharan Foga updated OFBIZ-4785:
-------------------------------
Sprint: Bug Crush Event - 21/2/2015
> Enable Cross (Sub)Domain Tracking is not working - tomcat
> ---------------------------------------------------------
>
> Key: OFBIZ-4785
> URL: https://issues.apache.org/jira/browse/OFBIZ-4785
> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS
> Affects Versions: Trunk
> Reporter: K Sharad Bhushan
> Labels: api-change, ofbiz, tomcat
>
> While we were upgrading ofbiz for our applications, i have noticed the usage
> of enabling cross domain tracking and was planning to use. We had custom
> solution previously for tomcat, as it was not supporting session cookie
> domain to be configurable (vesion ).
> Here is the description of the issue,
> In ofbiz cross domain session cookies was allowed using configuration in
> ofbiz-container.xml, by setting value for cookie.domain in url.properties.
> enad enabling the property "enable-cross-subdomain-sessions" to true in
> ofbiz-containers.xml. This is not working.
>
> When debugged i have noticed the cause in CrossSubdomainSessionValue.java
> were cookie domain is supposed to be replaced/overriden in response mime
> headers, but it was trying to replace in request mime headers. Here is the
> line of code in CrossSubdomainSessionValve
> MimeHeaders mimeHeaders =
> request.getCoyoteRequest().getMimeHeaders();
> following this is the line
> if (mimeHeaders.getName(i).equals("Set-Cookie")) { // in
> request the header is "Cookie" and in response the header is "Set-Cookie".
> When checked with svn history - i noticed it was replacing the response
> headers till version r938061 which is expected behaviour, after a migration
> to tomcat 7 revision r938061 i noticed the above described change.
> I assume this was done due to deprecation of method "getCoyoteResponse()" in
> Request i.e request.getCoyoteResponse().getMimeHeaders();
> However i have following observations which can be considered in fixing, i
> would attach the patches after we validate them
> I do not see the need of CrossSubdomainSessionValve any more now, as tomcat
> since version 6.0.27 supports configuring domain for session cookies in
> "Context".
> We can use the StandardContext to set the sessionCookieDomain.
> With that said, there were two approaches two acheive this
> 1. Use the standard cookie.domain in url.properties to set to
> sessionCookieDomain when enable-cross-subdomain-sessions is set to true.
> which i think is self explanatory
> 2. Allow the configuration of cookie domain via webapp info defined in
> ofbiz-component.xml(which is actually the Context used by tomcat). However i
> am not able to find a relevant context to support this, but seems a
> possibility
> Please let me know your thoughts
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
