Enable Cross (Sub)Domain Tracking is not working - tomcat ---------------------------------------------------------
Key: OFBIZ-4785 URL: https://issues.apache.org/jira/browse/OFBIZ-4785 Project: OFBiz Issue Type: Bug Components: ALL APPLICATIONS Affects Versions: SVN trunk Reporter: K Sharad Bhushan While we were upgrading ofbiz for our applications, i have noticed the usage of enabling cross domain tracking and was planning to use. We had custom solution previously for tomcat, as it was not supporting session cookie domain to be configurable (vesion ). Here is the description of the issue, In ofbiz cross domain session cookies was allowed using configuration in ofbiz-container.xml, by setting value for cookie.domain in url.properties. enad enabling the property "enable-cross-subdomain-sessions" to true in ofbiz-containers.xml. This is not working. When debugged i have noticed the cause in CrossSubdomainSessionValue.java were cookie domain is supposed to be replaced/overriden in response mime headers, but it was trying to replace in request mime headers. Here is the line of code in CrossSubdomainSessionValve MimeHeaders mimeHeaders = request.getCoyoteRequest().getMimeHeaders(); following this is the line if (mimeHeaders.getName(i).equals("Set-Cookie")) { // in request the header is "Cookie" and in response the header is "Set-Cookie". When checked with svn history - i noticed it was replacing the response headers till version r938061 which is expected behaviour, after a migration to tomcat 7 revision r938061 i noticed the above described change. I assume this was done due to deprecation of method "getCoyoteResponse()" in Request i.e request.getCoyoteResponse().getMimeHeaders(); However i have following observations which can be considered in fixing, i would attach the patches after we validate them I do not see the need of CrossSubdomainSessionValve any more now, as tomcat since version 6.0.27 supports configuring domain for session cookies in "Context". We can use the StandardContext to set the sessionCookieDomain. With that said, there were two approaches two acheive this 1. Use the standard cookie.domain in url.properties to set to sessionCookieDomain when enable-cross-subdomain-sessions is set to true. which i think is self explanatory 2. Allow the configuration of cookie domain via webapp info defined in ofbiz-component.xml(which is actually the Context used by tomcat). However i am not able to find a relevant context to support this, but seems a possibility Please let me know your thoughts -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira