date:20201209

Re: Issue overriding JSession cookie name - Wicket assumes overwritten name contains no uppercase characters

2020-12-09 Thread Sven Meier

Thanks!

Sven

Am 9. Dezember 2020 16:24:53 MEZ schrieb Martin Grigorov :
>https://issues.apache.org/jira/browse/WICKET-6858
>
>On Tue, Dec 8, 2020 at 11:19 AM Sven Meier  wrote:
>
>> Hi Chris,
>>
>> that #toLowerCase() has been introduced with WICKET-4816.
>>
>> The commit does not mention anything about the requirement for a
>lower
>> case comparison, and the test does not enforce it either:
>>
>>
>>
>https://github.com/apache/wicket/commit/66bfc8851c0250c02ff6ee0af0f42407a7873ca5#diff-2eff23be497b622b61b1181a1a97d8dcd70143cde2f14d644df573b3ecf7b5f5
>>
>> So this has probably been just an unnecessary precaution.
>>
>> Please open an issue.
>>
>> Thanks
>> Sven
>>
>>
>> On 08.12.20 08:48, Chris Colman wrote:
>> > Tomcat, and presumably other JEE app containers, now allow the
>> > specification of the name of the JSESSIONID parameter to use in the
>> > URL (even though cookies are largely used in place of this the
>initial
>> > hit on a web site will include the jsessionid parameter by default)
>> >
>> > This is done by setting a  attribute called
>'sessionCookieName'
>> >
>> > e.g.
>> >
>> > 
>> >
>> > This can be specified in mixed case and Tomcat will preserve the
>case.
>> >
>> > Wicket allows a matching value to be specified via a Java -D
>command
>> > line option:
>> >
>> > e.g.
>> >
>> > -Dwicket.jsessionid.name=JSESSIONID-Integration
>> >
>> > However Wicket's Strings.stripJSessionId() method assumes that the
>> > JSESSIONID parameter name is always in lowercase which causes
>failures
>> > if it is not:
>> >
>> >
>> > public static String stripJSessionId(final String url)
>> > {
>> > if (Strings.isEmpty(url))
>> > {
>> > return url;
>> > }
>> >
>> > // http://.../abc;jsessionid=...?param=...
>> > int ixSemiColon =
>> > url.toLowerCase(Locale.ROOT).indexOf(SESSION_ID_PARAM);<--
>> > seemingly unnecessary, unwanted toLowerCase() call
>> > if (ixSemiColon == -1)
>> > {
>> > return url;
>> > }
>> >
>> > ...
>> >
>> > }
>> >
>> >
>> > Is there any need for the toLowerCase() method call in there? No
>app
>> > container should be performing a "to lower case" on the parameter
>name
>> > and URLs in general can have case sensitive parameter names in
>query
>> > parameters etc., so the toLowerCase seems redundant and it causes
>> > issues as detailed above.
>> >
>> >
>> > Regards,
>> >
>> > Chris
>> >
>> >
>> >
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>>

Re: Issue overriding JSession cookie name - Wicket assumes overwritten name contains no uppercase characters

2020-12-09 Thread Martin Grigorov

https://issues.apache.org/jira/browse/WICKET-6858

On Tue, Dec 8, 2020 at 11:19 AM Sven Meier  wrote:

> Hi Chris,
>
> that #toLowerCase() has been introduced with WICKET-4816.
>
> The commit does not mention anything about the requirement for a lower
> case comparison, and the test does not enforce it either:
>
>
> https://github.com/apache/wicket/commit/66bfc8851c0250c02ff6ee0af0f42407a7873ca5#diff-2eff23be497b622b61b1181a1a97d8dcd70143cde2f14d644df573b3ecf7b5f5
>
> So this has probably been just an unnecessary precaution.
>
> Please open an issue.
>
> Thanks
> Sven
>
>
> On 08.12.20 08:48, Chris Colman wrote:
> > Tomcat, and presumably other JEE app containers, now allow the
> > specification of the name of the JSESSIONID parameter to use in the
> > URL (even though cookies are largely used in place of this the initial
> > hit on a web site will include the jsessionid parameter by default)
> >
> > This is done by setting a  attribute called 'sessionCookieName'
> >
> > e.g.
> >
> > 
> >
> > This can be specified in mixed case and Tomcat will preserve the case.
> >
> > Wicket allows a matching value to be specified via a Java -D command
> > line option:
> >
> > e.g.
> >
> > -Dwicket.jsessionid.name=JSESSIONID-Integration
> >
> > However Wicket's Strings.stripJSessionId() method assumes that the
> > JSESSIONID parameter name is always in lowercase which causes failures
> > if it is not:
> >
> >
> > public static String stripJSessionId(final String url)
> > {
> > if (Strings.isEmpty(url))
> > {
> > return url;
> > }
> >
> > // http://.../abc;jsessionid=...?param=...
> > int ixSemiColon =
> > url.toLowerCase(Locale.ROOT).indexOf(SESSION_ID_PARAM);<--
> > seemingly unnecessary, unwanted toLowerCase() call
> > if (ixSemiColon == -1)
> > {
> > return url;
> > }
> >
> > ...
> >
> > }
> >
> >
> > Is there any need for the toLowerCase() method call in there? No app
> > container should be performing a "to lower case" on the parameter name
> > and URLs in general can have case sensitive parameter names in query
> > parameters etc., so the toLowerCase seems redundant and it causes
> > issues as detailed above.
> >
> >
> > Regards,
> >
> > Chris
> >
> >
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Re: Issue overriding JSession cookie name - Wicket assumes overwritten name contains no uppercase characters

Re: Issue overriding JSession cookie name - Wicket assumes overwritten name contains no uppercase characters

2 matches

Site Navigation

Mail list logo

Footer information