Skip to main content

[webtier] Re: [Issue 7091] [web_container] GF 2.1 - Cannot login without cookies

1 reply [Last post]
Anonymous

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Jan Luehe

Hi Paul,

On 01/27/09 13:23, Paul Carter-Brown wrote:
> Hi,
>
> I changed the setting and it now works without cookies. My assumptions
> were correct however in that if I enable cookies on the browser, the
> server still rewrites URL's. Personally I think that the way it was
> before was much better in that the server effectively assumes the
> worst case (there is no cookie support) and rewrites the first URL and
> sets a cookie. If a request has a cookie, then it would no longer
> rewrite the urls. This is the way all other web containers do it so I
> dont see why Glassfish should be any different. The link you attached
> shows that the initial problem people had could have been erradicated
> by turning off URL rewriting in their setups as opposed to regressing
> the default setup.

The link mentioned that people were concerned about the security
implications of exposing
a jsessionid inside a URL when they were not expecting the URL to be
rewritten (since their
webapp was declared to support cookies, via "enableCookies" set to "true").

In the case referred to by the link, people did not want the jsessionid
to be encoded in the URL.
They were under the impression that by setting "enableCookies" to
"true", their concerns
would be addressed.

There was no way for them to express that they wanted to disable URL
rewriting other than
by setting "enableCookies" to "true" (since "enableURLRewriting" was
being ignored at the time
the issue was filed).

Now that I think about it, maybe "enableURLRewriting" should be a
property in its own right,
and it should be possible to set both "enableCookies" and
"enableURLRewriting" to true at the
same time. The way I just fixed
https://glassfish.dev.java.net/issues/show_bug.cgi?id=4394
("server log message says enableURLRewriting is not supported") in
GlassFish v3 is to treat
this as an error case, but maybe that's too restrictive.

Perhaps both properties should be supported, with these semantics:

Case 1:
enableCookies: true
enableURLRewriting: true
-> jsessionid of new session stored in cookie *and* encoded in URL

Case 2:
enableCookies: true
enableURLRewriting: false
-> jsessionid of new session only stored in cookie (and not encoded in URL)

Case 3:
enableCookies: false
enableURLRewriting: true
-> jsessionid of new session only encoded in URL (and not stored in cookie)

Case 4:
enableCookies: false
enableURLRewriting: false
-> invalid

I believe Case 1 should be the default.

Would you agree?

Thanks for brining this up!

Jan

> Its bad practice to only support cookies and now a simple war deployed
> to Glassfish wont maintain state without cookies (i.e. a war without
> this specific setting in sun-web.xml)
>
> Let me know what you think
> Paul
>
>
> -----Original Message-----
> *From*: Paul Carter-Brown
> >
> *To*: jluehe@dev.java.net
> *Cc*: paulcb@dev.java.net
> *Subject*: Re: [Issue 7091] [web_container] GF 2.1 - Cannot login
> without cookies
> *Date*: Tue, 27 Jan 2009 21:52:24 +0200
>
> Hi ,
>
> Thanks for your quick response.
>
> If i change that setting, will the server still put jsessionid in a
> cookie if the browser supports cookies? Without this setting am i
> right in saying glassfish will only maintain a session if the browser
> supports cookies?
>
> Thanks
> Paul
>
>
>
> -----Original Message-----
> *From*: jluehe@dev.java.net
> *To*: paulcb@dev.java.net
> *Subject*: [Issue 7091] [web_container] GF 2.1 - Cannot login without
> cookies
> *Date*: 27 Jan 2009 18:56:48 -0000
>
> https://glassfish.dev.java.net/issues/show_bug.cgi?id=7091
>
>
>
> User jluehe changed the following:
>
> What |Old value |New value
> ================================================================================
> Status|UNCONFIRMED |RESOLVED
> --------------------------------------------------------------------------------
> Resolution| |INVALID
> --------------------------------------------------------------------------------
>
>
>
>
> ------- Additional comments from jluehe@dev.java.net Tue Jan 27 18:56:44 +0000 2009 -------
> I think you are seeing the fix for
> https://glassfish.dev.java.net/issues/show_bug.cgi?id=3972
> ("HttpServletResponse.encodeURL() unconditionally appends jsessionid if session
> is newly created") in action, which was applied to GlassFish v2.1.
>
> In order for your encoded URL to contain the jsessionid, you must bundle with
> your webapp a sun-web.xml with the following contents:
>
>
>
>
>
>
>

>

>

>
> Please let me know if you have any questions. Thanks
>

[att1.html]