Bill Barker wrote:
No, an un-escaped semicolon is a reserved character by RFC 2396, section
2.2. Since RFC 2616 section 3.2.1 uses 2396 as a reference, then an
un-escaped semicolon isn't valid in a session-id. Of course the patch
doesn't totally work since something like:
http://www.myfirm.com/myapp;foo=bar/mycontext;user=me/mypage.jsp;jsessionid=xxyyzz
is perfectly valid, and by 2396 section 3.3 should map to the same resource
as:
http://www.myfirm.com/myapp/mycontext/mypage.jsp
(just that the resource can return different content depending on the
params). Of course, Tomcat doesn't handle this case correctly either.
Just to be clear, the 2396 property foo=bar refers only to /myapp,
and not specifically /myapp/mycontext and has no bearing on
/myapp/mycontext/mypage.jsp. That's just a common Java misinterpretation,
and the reason httpd server doesn't specifically support ';' syntax (which
isn't to say it's not generally supported; /myapp is not /myapp;foo=bar).
Unless you can clarify for us what the distinction between;
http://www.myfirm.com/myapp;foo=bar/mycontext/mypage.jsp
http://www.myfirm.com/myapp/mycontext;foo=bar/mypage.jsp
http://www.myfirm.com/myapp/mycontext/mypage.jsp;foo=bar
which might lead me to believe that folks implemented 2396 purposefully.