Re: No URL rewriting when cookies are disabled
Yep, that was it exactly... I've been spoiled by frameworks :) I did some experimentation myself, and dug a little in framework code, and indeed, this has been taken care for me in the past, and I assumed it's done by Tomcat (or any servlet container, for that matter), but it isn't. Thanks, Naaman Christopher Schultz-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > André, > > André Warnier wrote: >> Actually, I was just perusing a page in the Tomcat 6 docs : >> http://tomcat.apache.org/tomcat-6.0-doc/config/context.html >> >> and it actually says, for the "cookies" attribute : >> Set to true if you want cookies to be used for session identifier >> communication if supported by the client (this is the default). Set to >> false if you want to disable the use of cookies for session identifier >> communication, and rely only on URL rewriting *by the application*. > > André has the answer right here (though without details). > > In order to get your application to rewrite URLs, you need to pass every > single outgoing URL through the HttpServletResponse.encodeURL method (or > HttpServletResponse.encodeRedirectURL if you are using a redirect). > > I've found that this is detail is often overlooked in web applications. > Most JSP tag libraries and things like that do this transparently, so > you may not have even been aware that it was a requirement. > > Good luck reviewing all that code ;) > > - -chris > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkmLdjcACgkQ9CaO5/Lv0PD8cQCeKvrnDjZvNJTrXCcXuzOKUeSt > +2YAoKYSCgXVEzLMhSFFk309g0OhO8kP > =SKW6 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://www.nabble.com/No-URL-rewriting-when-cookies-are-disabled-tp21854081p21896827.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No URL rewriting when cookies are disabled
Hi, Pimping the JSP XML syntax and XSL... :) If, by any chance your JSPs are using XML syntax (or well-formed or can be well-formed), you can use XSL to transform all of your links to be encoded for cookie-less users. For example, the following JSP: http://java.sun.com/JSP/Page"; xmlns:c="http://java.sun.com/jsp/jstl/core " version="2.0"> doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd " doctype-public="-//W3C//DTD XHTML 1.0 Transitional//EN"/> http://www.w3.org/1999/xhtml";> foo blah blah class="foo">foo blah. can use the following XSL to transform it: http://www.w3.org/1999/XSL/Transform"; version="2.0" xmlns:x="http://www.w3.org/1999/xhtml"; xmlns:c="http://java.sun.com/jsp/jstl/core"; exclude-result-prefixes="x"> ${uri} to create: http://java.sun.com/JSP/Page " xmlns:c="http://java.sun.com/jsp/jstl/core"; version="2.0"> doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1- transitional.dtd" doctype-public="-//W3C//DTD XHTML 1.0 Transitional// EN"> http://www.w3.org/1999/xhtml";> foo blah blah foo blah. best, -Rob On Feb 5, 2009, at 6:28 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, André Warnier wrote: Actually, I was just perusing a page in the Tomcat 6 docs : http://tomcat.apache.org/tomcat-6.0-doc/config/context.html and it actually says, for the "cookies" attribute : Set to true if you want cookies to be used for session identifier communication if supported by the client (this is the default). Set to false if you want to disable the use of cookies for session identifier communication, and rely only on URL rewriting *by the application*. André has the answer right here (though without details). In order to get your application to rewrite URLs, you need to pass every single outgoing URL through the HttpServletResponse.encodeURL method (or HttpServletResponse.encodeRedirectURL if you are using a redirect). I've found that this is detail is often overlooked in web applications. Most JSP tag libraries and things like that do this transparently, so you may not have even been aware that it was a requirement. Good luck reviewing all that code ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmLdjcACgkQ9CaO5/Lv0PD8cQCeKvrnDjZvNJTrXCcXuzOKUeSt +2YAoKYSCgXVEzLMhSFFk309g0OhO8kP =SKW6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No URL rewriting when cookies are disabled
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, André Warnier wrote: > Actually, I was just perusing a page in the Tomcat 6 docs : > http://tomcat.apache.org/tomcat-6.0-doc/config/context.html > > and it actually says, for the "cookies" attribute : > Set to true if you want cookies to be used for session identifier > communication if supported by the client (this is the default). Set to > false if you want to disable the use of cookies for session identifier > communication, and rely only on URL rewriting *by the application*. André has the answer right here (though without details). In order to get your application to rewrite URLs, you need to pass every single outgoing URL through the HttpServletResponse.encodeURL method (or HttpServletResponse.encodeRedirectURL if you are using a redirect). I've found that this is detail is often overlooked in web applications. Most JSP tag libraries and things like that do this transparently, so you may not have even been aware that it was a requirement. Good luck reviewing all that code ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmLdjcACgkQ9CaO5/Lv0PD8cQCeKvrnDjZvNJTrXCcXuzOKUeSt +2YAoKYSCgXVEzLMhSFFk309g0OhO8kP =SKW6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: No URL rewriting when cookies are disabled
> From: Gregor Schneider [mailto:rc4...@googlemail.com] > Subject: Re: No URL rewriting when cookies are disabled > > It's a known bug in Tomcat, if I'm not mistaken: > https://issues.apache.org/bugzilla/show_bug.cgi?id=43839 That bug was fixed over a year ago, and the fix is in the version the OP is running. As Andre said, it's up to the code in the webapp to call the appropriate methods to rewrite URLs. If you don't want to change your code, you may be able to use this: http://tuckey.org/ - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No URL rewriting when cookies are disabled
It's a known bug in Tomcat, if I'm not mistaken: https://issues.apache.org/bugzilla/show_bug.cgi?id=43839 Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No URL rewriting when cookies are disabled
nlif wrote: Hi all, I am using Tomcat 6.0.18, with Firefox 3.0.6. I have a simple servlet, which calls request.getSession(true), and expects to create a session only on the first request, and resume an existing session on all subsequent requests. As far as I know, according to the servlet-spec, servlet containers (e.g. Tomcat), should automatically fallback to URL rewriting (i.e. adding the jsessionid parameter to the url) when the browser refuses to accept cookies. This works fine with cookies enabled, however, as soon as I disable cookies in my browser, a new session is created for each request, and the jsessionid is not appended to the URL. Shouldn't this work by default? (I know I can modify the application code to handle this, but I assumed this is not necessary.) Actually, I was just perusing a page in the Tomcat 6 docs : http://tomcat.apache.org/tomcat-6.0-doc/config/context.html and it actually says, for the "cookies" attribute : Set to true if you want cookies to be used for session identifier communication if supported by the client (this is the default). Set to false if you want to disable the use of cookies for session identifier communication, and rely only on URL rewriting *by the application*. (emphasis is mine) That sounds to me as, if you want to use URL-rewriting, you have to do it explicitly in the application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
No URL rewriting when cookies are disabled
Hi all, I am using Tomcat 6.0.18, with Firefox 3.0.6. I have a simple servlet, which calls request.getSession(true), and expects to create a session only on the first request, and resume an existing session on all subsequent requests. As far as I know, according to the servlet-spec, servlet containers (e.g. Tomcat), should automatically fallback to URL rewriting (i.e. adding the jsessionid parameter to the url) when the browser refuses to accept cookies. This works fine with cookies enabled, however, as soon as I disable cookies in my browser, a new session is created for each request, and the jsessionid is not appended to the URL. Shouldn't this work by default? (I know I can modify the application code to handle this, but I assumed this is not necessary.) Thanks, Naaman -- View this message in context: http://www.nabble.com/No-URL-rewriting-when-cookies-are-disabled-tp21854081p21854081.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org