Re: Issue overriding JSession cookie name - Wicket assumes overwritten name contains no uppercase characters

Tue, 08 Dec 2020 01:19:33 -0800 

Hi Chris,

that #toLowerCase() has been introduced with WICKET-4816.
The commit does not mention anything about the requirement for a lower case comparison, and the test does not enforce it either: 

https://github.com/apache/wicket/commit/66bfc8851c0250c02ff6ee0af0f42407a7873ca5#diff-2eff23be497b622b61b1181a1a97d8dcd70143cde2f14d644df573b3ecf7b5f5

So this has probably been just an unnecessary precaution.

Please open an issue.

Thanks
Sven


On 08.12.20 08:48, Chris Colman wrote:
Tomcat, and presumably other JEE app containers, now allow the specification of the name of the JSESSIONID parameter to use in the URL (even though cookies are largely used in place of this the initial hit on a web site will include the jsessionid parameter by default) 

This is done by setting a <Context> attribute called 'sessionCookieName'

e.g.

<Context sessionCookieName="JSESSIONID-Integration" ... >

This can be specified in mixed case and Tomcat will preserve the case.
Wicket allows a matching value to be specified via a Java -D command line option: 

e.g.

-Dwicket.jsessionid.name=JSESSIONID-Integration
However Wicket's Strings.stripJSessionId() method assumes that the JSESSIONID parameter name is always in lowercase which causes failures if it is not: 


public static String stripJSessionId(final String url)
    {
        if (Strings.isEmpty(url))
        {
            return url;
        }

        // http://.../abc;jsessionid=...?param=...
        int ixSemiColon = url.toLowerCase(Locale.ROOT).indexOf(SESSION_ID_PARAM);    <-- seemingly unnecessary, unwanted toLowerCase() call 
        if (ixSemiColon == -1)
        {
            return url;
        }

...

}
Is there any need for the toLowerCase() method call in there? No app container should be performing a "to lower case" on the parameter name and URLs in general can have case sensitive parameter names in query parameters etc., so the toLowerCase seems redundant and it causes issues as detailed above. 


Regards,

Chris





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to