Re: Webapp with underscore in it's name leads to failed session-cookies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/22/16 6:58 AM, Mark Thomas wrote: > On 22/06/2016 11:29, Mark Thomas wrote: >> On 22/06/2016 09:28, Markus Näher wrote: > >>> In the web console of firefox, I could see that the session >>> cookie was set with the path /jsf%5ftest, while other cookies >>> (set by myfaces) were correctly set with the path /jsf_test. It >>> looks like firefox treats /jsf_test and /jsf%5ftest as >>> different pathes and therefore does not send the session cookie >>> with the next request, while chromium ignores the difference. >> >> I see a similar issue if I rename the examples web application >> to "exa_mples". It shouldn't take me too long to figure out where >> things are going wrong. > > Tomcat is correctly setting the path for the session cookie as > "/exa_mples" > >> I'll keep that in mind once I figure out the root cause. It may >> impact how we fix this. > > The problem is that FireFox, by default, encodes all URIs and > doesn't take account of the encoding when matching URIs to cookie > paths. Failing to account for encoding looks like a FireFox bug to > me. > > A possible work-around is to disable the automatic encoding of URLs > that FireFox provides by setting network.standard-url.encode-utf8 > to false under about:config. > >>> Unfortunately, my real-world productive project has an >>> underscore in it's name too, but as many users have bookmarked >>> it, I can't just rename it. >>> >>> Is this a bug in tomcat ? >> >> At this point I'd say it is likely but until I dig into this to >> figure out exactly what the root cause is, I can't be sure. > > No, it is a FireFox bug. And a long standing one at that. > https://bugzilla.mozilla.org/show_bug.cgi?id=665851 Something doesn't smell right, here. I've been using Mozilla Firefox and Tomcat together for ... ever and my primary web application used for development is called "cschultz-[product]" (note the hyphen). I have never ever had any issues with that hyphen bring broken anywhere along the way. (I'm not sure I've tried an underscore... I could try that). Here are my relevant settings from about:config: network.standard-url.encode-utf8;true network.standard-url.escape-utf8;true Does this only effect underscores? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXbVAvAAoJEBzwKT+lPKRYcC4QAJ9vK+NvkJCTDKfW80BaLZSO j7jXWgbMf9rOTGfV7BSD+seBcId2ixJjOjod2yNJJ21d83BXbdPFGP96staRTt3v 8TOB/42WBIlfMt+CHvI/ltVBUsQ644so55qy6HrQcBO9yjVJiy3mzyJMTjAjLGZW nGvnZm4enUGqPqiPgY26TRxOR9toNpH9mq4qHQdSM+vesLnB7t0C2pNt0v5Wj3Og Nr6g8GIWN0czA8eClUp8I4PQP/ZCEs5o8lbkBo9MCmz7H0uijEIfI7R0uDE2ptWy pZ8N7a4kv/8LHZdShGQJ/RSUDVTb3dbaI2rfpOfKmKEVmt3LSEgHNb6N+DB64KLW qMXhiKqiSqi2UUOgOZvbBmfpcDFPEd7uYTnHzXjojeOsKxF5jtVxpgEGrWTcTY9t F3BdVk5PuYUZTAI3fpOT5CuAHfZ8hThi7ouWiIjo9LlYBq8senEXteXwTvZnfJGc rsOq7ADHQX1T7MQjrH7qqIfSeXb0ekaucRubp2uXH6WSZ7kbGmssUc5M/ZTEOcWu NJr+XXHKyp7+8ubBgTWZLRVnl1ZrMLAQMklIEj3TbURYUlSQTKDLkwGHHDyFNZck mamDfoiu/zSbOn6ocuoDBm0UXfK24FDbf/Ega7Y7V+ChFuKPLKdf8pUNPGkuqBmA Q8lPLYh11HWvayvXTP50 =TobU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Webapp with underscore in it's name leads to failed session-cookies
On 22/06/2016 11:29, Mark Thomas wrote: > On 22/06/2016 09:28, Markus Näher wrote: >> In the web console of firefox, I could see that the session cookie was >> set with the path /jsf%5ftest, while other cookies (set by myfaces) were >> correctly set with the path /jsf_test. >> It looks like firefox treats /jsf_test and /jsf%5ftest as different >> pathes and therefore does not send the session cookie with the next >> request, while chromium ignores the difference. > > I see a similar issue if I rename the examples web application to > "exa_mples". It shouldn't take me too long to figure out where things > are going wrong. Tomcat is correctly setting the path for the session cookie as "/exa_mples" > I'll keep that in mind once I figure out the root cause. It may impact > how we fix this. The problem is that FireFox, by default, encodes all URIs and doesn't take account of the encoding when matching URIs to cookie paths. Failing to account for encoding looks like a FireFox bug to me. A possible work-around is to disable the automatic encoding of URLs that FireFox provides by setting network.standard-url.encode-utf8 to false under about:config. >> Unfortunately, my real-world productive project has an underscore in >> it's name too, but as many users have bookmarked it, I can't just rename >> it. >> >> Is this a bug in tomcat ? > > At this point I'd say it is likely but until I dig into this to figure > out exactly what the root cause is, I can't be sure. No, it is a FireFox bug. And a long standing one at that. https://bugzilla.mozilla.org/show_bug.cgi?id=665851 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Webapp with underscore in it's name leads to failed session-cookies
On 22/06/2016 09:28, Markus Näher wrote: > Hi, > > I'm working on a JSF (myfaces) project that runs on Tomcat. First I > thought it was a myfaces issue, but they told me that the container is > responsible for the session cookie, so now I'm here :-) That is correct. To a point. There are some things the application can do to control the session cookie so the problem may lie elsewhere but, with the information provided to date, you look to be asking in the right place. > I've created a minimal JSF test project and I called it jsf_test. When I > open the tomcat manager (web) and the webapp's welcome page in the > browser, I can see that every reload of the webapp page increases the > session count. If you have a test case it is generally a good idea to put it somewhere where the members of the mailing list can access it. > In the web console of firefox, I could see that the session cookie was > set with the path /jsf%5ftest, while other cookies (set by myfaces) were > correctly set with the path /jsf_test. > It looks like firefox treats /jsf_test and /jsf%5ftest as different > pathes and therefore does not send the session cookie with the next > request, while chromium ignores the difference. I see a similar issue if I rename the examples web application to "exa_mples". It shouldn't take me too long to figure out where things are going wrong. > I also noticed that the issue does not occur on every deployment / > tomcat restart. It looks like the webapp name is stored internally > during initialization, and depending on little timing variations (race > condition ?), it is either initialized to the escaped or the unescaped > value. Tomcat manager always displays the unescaped name. That is very strange. Web application initialisation is single threaded (per webapp) so a race condition is unlikely. > Among my teammates, some are always affected, some occasionally, and > some never. That suggests something triggered by the environment. No idea what it could be at this point though. > After renaming the webapp to "jsftest", the session count increments > were gone. > The issue also occurs with a minus in the name, like "jsf-test". I'll keep that in mind once I figure out the root cause. It may impact how we fix this. > Unfortunately, my real-world productive project has an underscore in > it's name too, but as many users have bookmarked it, I can't just rename > it. > > Is this a bug in tomcat ? At this point I'd say it is likely but until I dig into this to figure out exactly what the root cause is, I can't be sure. > Environment: > OS: Linux / Windows > Tomcat version: 8.0.36 > JDK: Oracle JDK 1.8.0_92 > Within the team, we're using different minor verions, but I've tested > with the newest ones. Thanks for providing the version info. Not everyone does and it can often be very helpful. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Webapp with underscore in it's name leads to failed session-cookies
Hi, I'm working on a JSF (myfaces) project that runs on Tomcat. First I thought it was a myfaces issue, but they told me that the container is responsible for the session cookie, so now I'm here :-) I've created a minimal JSF test project and I called it jsf_test. When I open the tomcat manager (web) and the webapp's welcome page in the browser, I can see that every reload of the webapp page increases the session count. In the web console of firefox, I could see that the session cookie was set with the path /jsf%5ftest, while other cookies (set by myfaces) were correctly set with the path /jsf_test. It looks like firefox treats /jsf_test and /jsf%5ftest as different pathes and therefore does not send the session cookie with the next request, while chromium ignores the difference. I also noticed that the issue does not occur on every deployment / tomcat restart. It looks like the webapp name is stored internally during initialization, and depending on little timing variations (race condition ?), it is either initialized to the escaped or the unescaped value. Tomcat manager always displays the unescaped name. Among my teammates, some are always affected, some occasionally, and some never. After renaming the webapp to "jsftest", the session count increments were gone. The issue also occurs with a minus in the name, like "jsf-test". Unfortunately, my real-world productive project has an underscore in it's name too, but as many users have bookmarked it, I can't just rename it. Is this a bug in tomcat ? Environment: OS: Linux / Windows Tomcat version: 8.0.36 JDK: Oracle JDK 1.8.0_92 Within the team, we're using different minor verions, but I've tested with the newest ones. Regards, Markus Näher - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org