[Bug 54980] New: Setting 'cookies' attribute to 'false' in context still generate JSESSIONID cookie

Thu, 16 May 2013 00:28:38 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=54980

            Bug ID: 54980
           Summary: Setting 'cookies' attribute to 'false' in context
                    still generate JSESSIONID cookie
           Product: Tomcat 7
           Version: 7.0.27
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
    Classification: Unclassified

As stated in http://tomcat.apache.org/tomcat-7.0-doc/config/context.html,
setting 'cookie' attribute to 'false' should disable the use of cookies for
session identifier communication. But it turns out not to work. The JSESSIONID
cookie is still generated and saved in browser side.

This happens when user doesn't specify "tracking-mode"
(http://www.e-zest.net/blog/new-session-management-features-in-servlet-3-0/) in
the web.xml, which is the default behavior.


Below is some analysis I'd give after doing some debugging with Tomcat's source
code (tag: TOMCAT_7_0_27).

(setting 'cookie' attribute to 'false' in WEB-INF/context.xml)

The JSESSIONID cookie is generated in Request#doGetSession(boolean):line 2891.
As no "tracking-mode" is given in web.xml, the call of
ServletContext#getEffectiveSessionTrackingModes() falls back to
#getDefaultSessionTrackingModes(). There's no problem here.

The problem is the ServletContext is initialized before the 'cookie' attribute
is read from context.xml. Specifically, StandardContext#getServletContext() is
called before ContextConfig#processContextConfig(Digest, URL).

Hence, when initializing a ServletContext, the referenced StandardContext's
"cookies" field is in default value "true" which wrongly initializes its
"defaultSessionTrackingModes" with COOKIE mode!

One solution I'd give is when a StandardContext's "cookie" field is changed,
re-initialize the referenced ServletContext.

Or make sure ContextConfig#processContextConfig(Digest, URL) is called before
any StandardContext#getServletContext() call.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to