DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10418>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10418 logic whether URL needs to be encoded in HttpServletResponse.encodeURL() broken Summary: logic whether URL needs to be encoded in HttpServletResponse.encodeURL() broken Product: Tomcat 4 Version: 4.0.4 Final Platform: All URL: http://www.freiheit.com/users/hzeller/SessionBugDemonstr ation.java OS/Version: Linux Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] [ This applies to current 4.1 CVS as well ] The logic to determine whether a URL needs to be encoded in HttpServletResponse.encodeURL() is broken. In HttpServletResponseBase.isEncodeable(String location), it decides, that the URL needn't be encoded in the URL, if the current ID comes from the cookie; see code-snippet from HttpServletResponseBase: ------- if (hreq.isRequestedSessionIdFromCookie()) { return (false); } ------ However, this does not take into account, that the session ID we got might have been from some previous session that already is invalidated, i.e. is not valid. In this case isRequestedSessionIdFromCookie() will return true, but this does not say anything if future (valid) sessions will come through the cookie. The fix is easy: So the only way to check this correctly is: --------- if (hreq.isRequestedSessionIdFromCookie() && hreq.isRequestedSessionIdValid()) { return (false); } --------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>