Re: Issue overriding JSession cookie name - Wicket assumes overwritten name contains no uppercase characters
Thanks! Sven Am 9. Dezember 2020 16:24:53 MEZ schrieb Martin Grigorov : >https://issues.apache.org/jira/browse/WICKET-6858 > >On Tue, Dec 8, 2020 at 11:19 AM Sven Meier wrote: > >> Hi Chris, >> >> that #toLowerCase() has been introduced with WICKET-4816. >> >> The commit does not mention anything about the requirement for a >lower >> case comparison, and the test does not enforce it either: >> >> >> >https://github.com/apache/wicket/commit/66bfc8851c0250c02ff6ee0af0f42407a7873ca5#diff-2eff23be497b622b61b1181a1a97d8dcd70143cde2f14d644df573b3ecf7b5f5 >> >> So this has probably been just an unnecessary precaution. >> >> Please open an issue. >> >> Thanks >> Sven >> >> >> On 08.12.20 08:48, Chris Colman wrote: >> > Tomcat, and presumably other JEE app containers, now allow the >> > specification of the name of the JSESSIONID parameter to use in the >> > URL (even though cookies are largely used in place of this the >initial >> > hit on a web site will include the jsessionid parameter by default) >> > >> > This is done by setting a attribute called >'sessionCookieName' >> > >> > e.g. >> > >> > >> > >> > This can be specified in mixed case and Tomcat will preserve the >case. >> > >> > Wicket allows a matching value to be specified via a Java -D >command >> > line option: >> > >> > e.g. >> > >> > -Dwicket.jsessionid.name=JSESSIONID-Integration >> > >> > However Wicket's Strings.stripJSessionId() method assumes that the >> > JSESSIONID parameter name is always in lowercase which causes >failures >> > if it is not: >> > >> > >> > public static String stripJSessionId(final String url) >> > { >> > if (Strings.isEmpty(url)) >> > { >> > return url; >> > } >> > >> > // http://.../abc;jsessionid=...?param=... >> > int ixSemiColon = >> > url.toLowerCase(Locale.ROOT).indexOf(SESSION_ID_PARAM);<-- >> > seemingly unnecessary, unwanted toLowerCase() call >> > if (ixSemiColon == -1) >> > { >> > return url; >> > } >> > >> > ... >> > >> > } >> > >> > >> > Is there any need for the toLowerCase() method call in there? No >app >> > container should be performing a "to lower case" on the parameter >name >> > and URLs in general can have case sensitive parameter names in >query >> > parameters etc., so the toLowerCase seems redundant and it causes >> > issues as detailed above. >> > >> > >> > Regards, >> > >> > Chris >> > >> > >> > >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >>
Re: Issue overriding JSession cookie name - Wicket assumes overwritten name contains no uppercase characters
https://issues.apache.org/jira/browse/WICKET-6858 On Tue, Dec 8, 2020 at 11:19 AM Sven Meier wrote: > Hi Chris, > > that #toLowerCase() has been introduced with WICKET-4816. > > The commit does not mention anything about the requirement for a lower > case comparison, and the test does not enforce it either: > > > https://github.com/apache/wicket/commit/66bfc8851c0250c02ff6ee0af0f42407a7873ca5#diff-2eff23be497b622b61b1181a1a97d8dcd70143cde2f14d644df573b3ecf7b5f5 > > So this has probably been just an unnecessary precaution. > > Please open an issue. > > Thanks > Sven > > > On 08.12.20 08:48, Chris Colman wrote: > > Tomcat, and presumably other JEE app containers, now allow the > > specification of the name of the JSESSIONID parameter to use in the > > URL (even though cookies are largely used in place of this the initial > > hit on a web site will include the jsessionid parameter by default) > > > > This is done by setting a attribute called 'sessionCookieName' > > > > e.g. > > > > > > > > This can be specified in mixed case and Tomcat will preserve the case. > > > > Wicket allows a matching value to be specified via a Java -D command > > line option: > > > > e.g. > > > > -Dwicket.jsessionid.name=JSESSIONID-Integration > > > > However Wicket's Strings.stripJSessionId() method assumes that the > > JSESSIONID parameter name is always in lowercase which causes failures > > if it is not: > > > > > > public static String stripJSessionId(final String url) > > { > > if (Strings.isEmpty(url)) > > { > > return url; > > } > > > > // http://.../abc;jsessionid=...?param=... > > int ixSemiColon = > > url.toLowerCase(Locale.ROOT).indexOf(SESSION_ID_PARAM);<-- > > seemingly unnecessary, unwanted toLowerCase() call > > if (ixSemiColon == -1) > > { > > return url; > > } > > > > ... > > > > } > > > > > > Is there any need for the toLowerCase() method call in there? No app > > container should be performing a "to lower case" on the parameter name > > and URLs in general can have case sensitive parameter names in query > > parameters etc., so the toLowerCase seems redundant and it causes > > issues as detailed above. > > > > > > Regards, > > > > Chris > > > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >