Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7
2015-07-23 11:32 GMT+03:00 Rahul Kumar Singh :
> Dear Christopher,
>
> On further debugging, I found out the difference is seen between 6.0.32 (same
> behavior as in 6.0.28 reported earlier) and 6.0.33 (same as in 7.0.54
> reported earlier ) I could not figure out which change ( as mentioned in link
> https://tomcat.apache.org/tomcat-6.0-doc/changelog.html ) has caused this
> difference.
>
> Step to reproduce it?
> 1. Untar tomcat versions(Tomcat V6.0.32 and Tomcat V6.0.33)
> 2. Enable access log by uncommenting 'AccessLogValve' in conf/server.xml
> as shown below
>
> directory="${catalina.base}/logs"
>prefix="localhost_access_log." suffix=".txt" pattern="common"
> resolveHosts="false"/>
>
> 3. Deploy a simple web application (login.jsp) in Tomcat.
> // login.jsp in tomcat
>
>
> <%
>String str = request.getRequestURI();
>System.out.println(str);
>out.println(str);
> %>
>
>
>
> 4. Start tomcat
> 5. Run client wget to execute the login.jsp
> 6. View access log file entry
Thank you for version numbers.
This is expected behaviour. I added comments on the history of this change here:
https://bz.apache.org/bugzilla/show_bug.cgi?id=51833
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7
Dear Konstantin, On further debugging, I found out the difference is seen between 6.0.32 (same behavior as in 6.0.28 reported earlier) and 6.0.33 (same as in 7.0.54 reported earlier ) I could not figure out which change ( as mentioned in link https://tomcat.apache.org/tomcat-6.0-doc/changelog.html ) has caused this difference. Step to reproduce it? 1. Untar tomcat versions(Tomcat V6.0.32 and Tomcat V6.0.33) 2. Enable access log by uncommenting 'AccessLogValve' in conf/server.xml as shown below 3. Deploy a simple web application (login.jsp) in Tomcat. // login.jsp in tomcat <% String str = request.getRequestURI(); System.out.println(str); out.println(str); %> 4. Start tomcat 5. Run client wget to execute the login.jsp 6. View access log file entry -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Tuesday, July 21, 2015 5:32 PM To: Tomcat Users List Subject: Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7 2015-07-21 14:38 GMT+03:00 Rahul Kumar Singh : > Hello Tomcat Team, > > “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL > "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > is not received in tomcat 6(V6.0.28) . It is received in tomcat 7(V7.0.54) . > What is reason for the different behavior? > > I used WGET command to send same request to both version of tomcats. Access > logs (logs/localhost_access_log.txt ) of both tomcat versions show the > difference > > > WGET REQUEST: > wget "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > . > > > Observations: > TOMCAT 7.0.54 ACCESS LOGS: > 127.0.0.1 - - [21/Jul/2015:08:30:13 +] "GET > /login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B HTTP/1.0" 200 1063 > > > -Original Message- > From: Rahul Kumar Singh > Sent: Tuesday, June 23, 2015 6:17 PM > To: 'Tomcat Users List' > Subject: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. > > Hello Tomcat team, > > In Tomcat7.0.54 We have observe that Login URL is Appended with JSESSIONID > parameter in our Web Application > Example: > /framework/login.action;jsessionid=098D3C84B56FF2A2A25E88E4F059A20B > > System Configuration (WINDOW7+IE-8) > > Due to this session authentication get failed. > 1. Step by step recipe to reproduce your issue = ? 2. 6.0.28 is old. The current one is 6.0.44 3. http://tomcat.apache.org/security-6.html CVE-2013-2067 ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org DISCLAIMER: --- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or NEC or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. . --- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7
Dear Christopher, On further debugging, I found out the difference is seen between 6.0.32 (same behavior as in 6.0.28 reported earlier) and 6.0.33 (same as in 7.0.54 reported earlier ) I could not figure out which change ( as mentioned in link https://tomcat.apache.org/tomcat-6.0-doc/changelog.html ) has caused this difference. Step to reproduce it? 1. Untar tomcat versions(Tomcat V6.0.32 and Tomcat V6.0.33) 2. Enable access log by uncommenting 'AccessLogValve' in conf/server.xml as shown below 3. Deploy a simple web application (login.jsp) in Tomcat. // login.jsp in tomcat <% String str = request.getRequestURI(); System.out.println(str); out.println(str); %> 4. Start tomcat 5. Run client wget to execute the login.jsp 6. View access log file entry -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, July 21, 2015 8:47 PM To: Tomcat Users List Subject: Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rahul, On 7/21/15 6:38 AM, Rahul Kumar Singh wrote: > “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL > "localhost:8080/login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > > is not received in tomcat 6(V6.0.28). It is received in tomcat > 7(V7.0.54). What is reason for the different behavior? I'm not sure why the change in behavior, but when a client requests a protected resource, the container has to redirect that client to the login page. Before the redirect, a session is created to hold the saved-request to the originally-requested protected resource. This session id needs to be preserved. If the container can't tell if the client supports cookie-based session tracking, it must encode the session id in the login URL just in case. You'll find that, if you use a browser with cookies enabled, after the login page there will be no jsessionid path parameters in your URLs. Is the presence of the jsessionid path parameter a problem for you? (And at this point, it's really a good idea to start planning your upgrade path to Tomcat 8, which is quite reliable and stable. Tomcat 6 will EOL 2016-12-31: http://tomcat.apache.org/tomcat-60-eol.html) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVrmJmAAoJEBzwKT+lPKRYhZ4P/0CcVBy4y8S4uXbgc/0ClZ3Z nD5IBoCei2B3Nek1ioK9gTKpvC+ft0XmQ8ZSoqLKKaz8yuBR8S4Ghts6XzTKogSL LKLm/WBoNlVw9WcD22HyiVx614irOWow1Z/kuWOHywxC1D+D9YGgN+I85xdc0ubo gV/7831REdUZdBM0m9D58p/LBZn57cBC79/MPFNOY+jgh2vRuvTjQ2wugH1F4GMi ll3Oj7DivwusVH5NBzR1kdr+8doM8IRTqpPJIXhptTlyZwCvo9BcdgQgapbAG0Ds mn3DKBSfiAbxXt64syerLyZWsU0kHWu9nMFaglprFSN+enGXZIDOsi1VxhUbms+A 9n3mFJn4oXNnQ4dIy6V2ZKmRNiMYspSqeVh0qNb34qZYqfQHTjV2e7MYU+cwBk44 qy77vB2FAiwrAu73bF/E0U+aw6PrvjX/S2/6hfN6rePh7+nwX2cYrEGMHd57rUQA OZWaJZ5YQAuguglkKQy7Kz6i7zpUy8IA0oKd7fEYweMBb8TxpxO9sck1UgRRu/Xl SvUGShSVgOSGqR22mHzIawmCiPacDQBg/c3IdqkegRhMnOuLnkM8s08/oeNRazSC ZLi8Ano7Yy97Mc064yKFn5pwFWSLCYN3p4brHkNrv49rulp5CUSU3jRZTdVCBueh MG41DNmnywwNsl4yaJBG =Ieud -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org DISCLAIMER: --- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or NEC or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. . ---
Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rahul, On 7/21/15 6:38 AM, Rahul Kumar Singh wrote: > “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL > "localhost:8080/login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > > is not received in tomcat 6(V6.0.28). It is received in tomcat > 7(V7.0.54). What is reason for the different behavior? I'm not sure why the change in behavior, but when a client requests a protected resource, the container has to redirect that client to the login page. Before the redirect, a session is created to hold the saved-request to the originally-requested protected resource. This session id needs to be preserved. If the container can't tell if the client supports cookie-based session tracking, it must encode the session id in the login URL just in case. You'll find that, if you use a browser with cookies enabled, after the login page there will be no jsessionid path parameters in your URLs. Is the presence of the jsessionid path parameter a problem for you? (And at this point, it's really a good idea to start planning your upgrade path to Tomcat 8, which is quite reliable and stable. Tomcat 6 will EOL 2016-12-31: http://tomcat.apache.org/tomcat-60-eol.html) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVrmJmAAoJEBzwKT+lPKRYhZ4P/0CcVBy4y8S4uXbgc/0ClZ3Z nD5IBoCei2B3Nek1ioK9gTKpvC+ft0XmQ8ZSoqLKKaz8yuBR8S4Ghts6XzTKogSL LKLm/WBoNlVw9WcD22HyiVx614irOWow1Z/kuWOHywxC1D+D9YGgN+I85xdc0ubo gV/7831REdUZdBM0m9D58p/LBZn57cBC79/MPFNOY+jgh2vRuvTjQ2wugH1F4GMi ll3Oj7DivwusVH5NBzR1kdr+8doM8IRTqpPJIXhptTlyZwCvo9BcdgQgapbAG0Ds mn3DKBSfiAbxXt64syerLyZWsU0kHWu9nMFaglprFSN+enGXZIDOsi1VxhUbms+A 9n3mFJn4oXNnQ4dIy6V2ZKmRNiMYspSqeVh0qNb34qZYqfQHTjV2e7MYU+cwBk44 qy77vB2FAiwrAu73bF/E0U+aw6PrvjX/S2/6hfN6rePh7+nwX2cYrEGMHd57rUQA OZWaJZ5YQAuguglkKQy7Kz6i7zpUy8IA0oKd7fEYweMBb8TxpxO9sck1UgRRu/Xl SvUGShSVgOSGqR22mHzIawmCiPacDQBg/c3IdqkegRhMnOuLnkM8s08/oeNRazSC ZLi8Ano7Yy97Mc064yKFn5pwFWSLCYN3p4brHkNrv49rulp5CUSU3jRZTdVCBueh MG41DNmnywwNsl4yaJBG =Ieud -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7
2015-07-21 14:38 GMT+03:00 Rahul Kumar Singh : > Hello Tomcat Team, > > “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL > "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > is not received in tomcat 6(V6.0.28) . It is received in tomcat 7(V7.0.54) . > What is reason for the different behavior? > > I used WGET command to send same request to both version of tomcats. Access > logs (logs/localhost_access_log.txt ) of both tomcat versions show the > difference > > > WGET REQUEST: > wget "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > . > > > Observations: > TOMCAT 7.0.54 ACCESS LOGS: > 127.0.0.1 - - [21/Jul/2015:08:30:13 +] "GET > /login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B HTTP/1.0" 200 1063 > > > -Original Message- > From: Rahul Kumar Singh > Sent: Tuesday, June 23, 2015 6:17 PM > To: 'Tomcat Users List' > Subject: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. > > Hello Tomcat team, > > In Tomcat7.0.54 We have observe that Login URL is Appended with JSESSIONID > parameter in our Web Application > Example: > /framework/login.action;jsessionid=098D3C84B56FF2A2A25E88E4F059A20B > > System Configuration (WINDOW7+IE-8) > > Due to this session authentication get failed. > 1. Step by step recipe to reproduce your issue = ? 2. 6.0.28 is old. The current one is 6.0.44 3. http://tomcat.apache.org/security-6.html CVE-2013-2067 ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why there is different behaviour in Tomcat 6 and Tomcat 7
Hello Tomcat Team, “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" is not received in tomcat 6(V6.0.28) . It is received in tomcat 7(V7.0.54) . What is reason for the different behavior? I used WGET command to send same request to both version of tomcats. Access logs (logs/localhost_access_log.txt ) of both tomcat versions show the difference WGET REQUEST: wget "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" . Observations: TOMCAT 7.0.54 ACCESS LOGS: 127.0.0.1 - - [21/Jul/2015:08:30:13 +] "GET /login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B HTTP/1.0" 200 1063 -Original Message- From: Rahul Kumar Singh Sent: Tuesday, June 23, 2015 6:17 PM To: 'Tomcat Users List' Subject: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. Hello Tomcat team, In Tomcat7.0.54 We have observe that Login URL is Appended with JSESSIONID parameter in our Web Application Example: /framework/login.action;jsessionid=098D3C84B56FF2A2A25E88E4F059A20B System Configuration (WINDOW7+IE-8) Due to this session authentication get failed. But in Tomcat 6 It is not happening. Could any one help me on this from Apache Tomcat community. Regards, Rahul Kumar Singh DISCLAIMER: --- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or NEC or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. . ---
