DO NOT REPLY [Bug 45921] New: Session ID not read from URL when cookie value is not valid

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=45921

           Summary: Session ID not read from URL when cookie value is not
                    valid
           Product: Tomcat 6
           Version: 6.0.18
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: [EMAIL PROTECTED]


Hello,

According to SRV.7.1.3 of the Servlet specs, "URL rewriting is the lowest
common denominator of session tracking. When a client will not accept a cookie,
URL rewriting may be used by the server as the basis for session tracking".
Let's now consider the following case:

- A user accesses to an app that creates a session for that user. This means
the response will contain a cookie with that session id.
- At some point, the cookie stored into the user's browser might not be valid
anymore (let's say we invalidated that session from Tomcat).
- Now imagine that the user (who still has his browser opened, so the cookie is
still there) now clicks a link pointing to the same app, but that includes a
different (and valid) jsessionid embedded into the URL.

Under this case, the application is receiving a request that contains 2
references to a session: 1 jsessionid coming from a cookie (which is invalid
because we manually expired that session from the server) and 1 jsessionid
coming from the URL (which is valid because it belongs to a session still
active).

When we call request.getSession(true) on the app, Tomcat checks that the
jsessionid from the cookie is invalid, and returns a new session. Instead,
after verifying that the jsessionid from the cookie is invalid, it should check
if there's any valid jsessionid coming through the URL. If so, it should return
that session and not create a new one. Apparently, a jsessionid coming through
a URL is just considered when there's no jsessionid cookie on the request.

Thanks.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]