On 09/05/2011 14:53, Mark Thomas wrote: > On 09/05/2011 13:58, Konstantin Kolinko wrote: >> I have seen applications where /webappname is not redirected to >> /webappname/ but is served as is. IIRC, that happens when there is no >> welcome file. >> >> If I understand correctly, this change will break them. Maybe make it >> conditional? > > The mapper redirects /test to /test/ unless there is an exact match or a > prefix match (which won't happen for /test) so there should always be a > redirect to /test/ > > I can't see a route for a request to /test getting to passed to a web > application. I'll do some more testing but I think this change is safe.
Grr. A servlet mapped to "/*" will break this on IE. It at least needs to be configurable in this case. I'll leave the default as is (more secure, works in most scenarios) but add an option to not add the trailing / to the session path. Mark > >> For reference, discussion on users@ >> [1] http://markmail.org/message/wsmv4jecrwggpzaj > > Yep, that is what triggered this. I did do some testing and while > Firefox does what you'd want it to, IE sends a cookie with a path of > /test with a request for /testfoo. > > Mark > >> >> >> 2011/5/9 <ma...@apache.org>: >>> Author: markt >>> Date: Mon May 9 12:45:55 2011 >>> New Revision: 1100992 >>> >>> URL: http://svn.apache.org/viewvc?rev=1100992&view=rev >>> Log: >>> Ensure session cookie paths end in / so that session cookies created for a >>> context with a path of /foo do not get returned with requests mapped to a >>> context with a path of >>> /foobar >>> >>> Modified: >>> >>> tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java >>> tomcat/trunk/webapps/docs/changelog.xml >>> >>> Modified: >>> tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java >>> URL: >>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java?rev=1100992&r1=1100991&r2=1100992&view=diff >>> ============================================================================== >>> --- >>> tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java >>> (original) >>> +++ >>> tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java >>> Mon May 9 12:45:55 2011 >>> @@ -158,8 +158,10 @@ public class ApplicationSessionCookieCon >>> } >>> // Handle special case of ROOT context where cookies require a path >>> of >>> // '/' but the servlet spec uses an empty string >>> - if (contextPath.length() == 0) { >>> - contextPath = "/"; >>> + // Also ensure the cookies for a context with a path of /foo don't >>> get >>> + // sent for requests with a path of /foobar >>> + if (!contextPath.endsWith("/")) { >>> + contextPath = contextPath + "/"; >>> } >>> cookie.setPath(contextPath); >>> >>> >>> Modified: tomcat/trunk/webapps/docs/changelog.xml >>> URL: >>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1100992&r1=1100991&r2=1100992&view=diff >>> ============================================================================== >>> --- tomcat/trunk/webapps/docs/changelog.xml (original) >>> +++ tomcat/trunk/webapps/docs/changelog.xml Mon May 9 12:45:55 2011 >>> @@ -71,6 +71,12 @@ >>> ServletRequest#getServerPort() and ServletRequest#getLocalPort() >>> when >>> Tomcat is behind a reverse proxy. (markt) >>> </add> >>> + <fix> >>> + Ensure session cookie paths end in <code>/</code> so that session >>> + cookies created for a context with a path of <code>/foo</code> do >>> not >>> + get returned with requests mapped to a context with a path of >>> + <code>/foobar</code>. (markt) >>> + </fix> >>> </changelog> >>> </subsection> >>> </section> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
