DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2004-02-08 10:43 --- Cookies will override URL session Ids. This is done on purpose and will ot be fixed. Now, there was an issue where Tomcat would only consider the first session id cookie. Now, if there are multiple ones, Tomcat will look until one of them is valid (the first one should be, as per Craig comments, but I've added more lenient code in the TC 5 CVS, since it doesn't hurt much). Please do not reopen this report, it will not be fixed. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions --- Additional Comments From [EMAIL PROTECTED] 2004-02-08 14:15 --- Quote: Now, if there are multiple ones, Tomcat will look until one of them is valid Cool, thats all I suggested. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions --- Additional Comments From [EMAIL PROTECTED] 2004-02-08 14:35 --- Actually, no. If there's a cookie and the URL is encoded, whatever is read from the URL will be overridden (having multiple cookies was another possibility). But this is a case which shouldn't happen (as long as 10418 is also a won't fix, there is a consistent effort to favor cookies, which is better for end users anyway). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions --- Additional Comments From [EMAIL PROTECTED] 2004-02-08 15:38 --- I agree, that when we can use cookies, session IDs from cookies should be preferred. Preferring URL rewritten session IDs over cookies has only be a potential point of discussion (see first comment). But IMHO if all session IDs read from cookies are bogus and the session ID from the URL is a valid one, then tomcat should go for the valid one. So its not a matter of 'use cookies' or 'use URL-rewriting' but 'use a valid session id gotten from the client while valid session cookies override session IDs from the URL'. If you do the check as pointed out in your message from 2004-02-08 10:43, this is almost it as I understand it.. ..If you do not override a valid session ID with an invalid one from a cookie. Be lenient with what you consume, be pedantic and accurate with what you create. -- Jon Postel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2004-02-07 14:43 --- *** Bug 7588 has been marked as a duplicate of this bug. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added URL|http://www.freiheit.com/user|http://vicdor.org/~hzeller/S |s/hzeller/SessionBugDemonstr|essionBugDemonstration.java |ation.java | --- Additional Comments From [EMAIL PROTECTED] 2004-02-07 20:16 --- Since the URL to the original demonstration servlet of this issue wasn't reachable anymore (this bug is now open for 1.5 years..), I've moved it to a new location. You can find it at http://vicdor.org/~hzeller/SessionBugDemonstration.java now. While re-reading the comments after a while I noticed that referencing the bugs 1 and 2 in my first comment is a bit misleading since bugzilla tries to link to the literal number. They actually stand for the two bugs I've committed regarding two related aspects of faulty session handling in tomcat, namely Bug #10418 and this Bug #10419. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions --- Additional Comments From [EMAIL PROTECTED] 2003-07-28 11:26 --- Bug #1 is related to this. I actually have a use case: - Admin installs $WEBAPPLICATION - forgets to disable cookies in Context; $WEBAPPLICATION always encodes sessions in URL - users start using $WEBAPPLICATION - Admin remembers after a week - lots of users have cookies hanging around in their browsers and cannot log in any more because there is always a stale JSESSIONID cookie being sent by the browser and examined by Tomcat We have been bitten by this bug several times. Bye, Tino. PS: Tested with Tomcat 4.1.24 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WONTFIX | --- Additional Comments From [EMAIL PROTECTED] 2003-03-21 20:15 --- Yes, this is a BUG, and it seems that it is a serious bug, because probably at 1% of sessions are lost with IE, when the session for some circumstances is invalidated but cookie is left non-expired, and after that the new session is generated and IE(6 and 5 for me) _ALWAYS_ sends two cookies JSESSIONID; but the first cookie is for invalid session, so tomcat treats that the session is new, although the second cookie contains the actual session id. Also, I have read in Netscape Standard for Cookies (http://wp.netscape.com/newsref/std/cookie_spec.html for your reference): -- Instances of the same path and name will overwrite each other, with the latest instance taking precedence. Instances of the same path but different names will add additional mappings. -- Well, I suppose this document is pretty old, but nor later RFCs (2109,2965) nor Servlet 2.3 Specification does not contain any information about cookie priority, so it is a good thing to think about. And I am very frustrated that this bug remains NEW for about a year - isn't it a buglist?? Yes, I know that Mr.Maucherat in a similar bug 10419 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419) resolved this as WONTFIX, saying that he doesn't see any real use cases. Please, reconsider about this or at least say something. Cinecerly, Peter. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2003-03-20 07:04 --- *** Bug 14354 has been marked as a duplicate of this bug. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX Version|4.0.4 Final |4.1.6 --- Additional Comments From [EMAIL PROTECTED] 2002-07-03 07:57 --- As I've said, I am not convinced by the use case. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WONTFIX | --- Additional Comments From [EMAIL PROTECTED] 2002-07-03 08:25 --- No. Just consider the simple case where you have multple application contexts. All of these contexts have their own cookie, since they are separated. If you grab always the first cookie, then you get a session ID that is not valid in the second context. The problem is, that from this (wrong) requestedSessionId() the HttpSession is looked up, thus not found. Bottomline: you can have only one application context running with cookies. I do not agree, that this is not a serious bug! And the second session can not even decide to use URL encoding instead, because cookies (even with invlalid session ids) decide there, that the sessio n needs not to be encoded. Please reconsider this - or we have to write in the documentation that the tomcat session handling can only handle sessions correctly if 1) there is only one context involved 2) we _only_ use cookies, since URL encoding is broken since it will only work in certain cirumstances. I can't see, why we should neglect this part of the spec! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What|Removed |Added Severity|Major |Minor Status|REOPENED|RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2002-07-03 08:46 --- Your statement is incorrect. URL encoding does work, but it is a all-or-nothing situation (ie, either you allow session cookies or you don't). As I said, I don't see a use case where the user-agent would submit the session id in the URL for a context, and then would submit it as a cookie for another one. The spec also doesn't specify what is the priority order for the session ids, not that it is really needed anyway IMO. In any case, I don't consider this a major bug, if people think it is a bug. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions --- Additional Comments From [EMAIL PROTECTED] 2002-07-03 17:40 --- Here's an FYI regarding disambiguating session id cookies. Tomcat always sets the path attribute of the cookie to correspond to the context path of the web application for which that cookie applies. A client is supposed to send back cookies only when the request URI matches the path prefix. Thus, you will only get 1 session id cookie under the following circumstances: (1) You have context paths nested inside each other (app1 uses /foo and app2 uses /foo/bar) (2) You have a broken client that doesn't respect the path attribute or the cookie value ordering rules (see below for more). Case (1) highlights another interesting issue -- the cookies that are included in the request don't have any identifiers with them, so it is not obvious how you are supposed to tell them apart. Fortunately, the specs define a rule to deal with this -- the client is supposed to send the cookie for the longest matching path first. Thus, in the overlapping case defined above, a request to /foo/bar/baz will include two values for the session id cookie -- first the one for the /foo/bar context and then the one for the /foo context. A request to /foo/xyz will only send the cookie for the /foo context. This is why Tomcat takes the first session id cookie in the list; a properly programmed client will ensure that this is the right one for the most deeply nested context path that matches the request URI. Tomcat cannot do anything to help you on case (2) however. :-) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]