Enable Cross (Sub)Domain Tracking is not working - tomcat
---------------------------------------------------------
Key: OFBIZ-4785
URL: https://issues.apache.org/jira/browse/OFBIZ-4785
Project: OFBiz
Issue Type: Bug
Components: ALL APPLICATIONS
Affects Versions: SVN trunk
Reporter: K Sharad Bhushan
While we were upgrading ofbiz for our applications, i have noticed the usage of
enabling cross domain tracking and was planning to use. We had custom solution
previously for tomcat, as it was not supporting session cookie domain to be
configurable (vesion ).
Here is the description of the issue,
In ofbiz cross domain session cookies was allowed using configuration in
ofbiz-container.xml, by setting value for cookie.domain in url.properties. enad
enabling the property "enable-cross-subdomain-sessions" to true in
ofbiz-containers.xml. This is not working.
When debugged i have noticed the cause in CrossSubdomainSessionValue.java were
cookie domain is supposed to be replaced/overriden in response mime headers,
but it was trying to replace in request mime headers. Here is the line of code
in CrossSubdomainSessionValve
MimeHeaders mimeHeaders =
request.getCoyoteRequest().getMimeHeaders();
following this is the line
if (mimeHeaders.getName(i).equals("Set-Cookie")) { // in
request the header is "Cookie" and in response the header is "Set-Cookie".
When checked with svn history - i noticed it was replacing the response headers
till version r938061 which is expected behaviour, after a migration to tomcat 7
revision r938061 i noticed the above described change.
I assume this was done due to deprecation of method "getCoyoteResponse()" in
Request i.e request.getCoyoteResponse().getMimeHeaders();
However i have following observations which can be considered in fixing, i
would attach the patches after we validate them
I do not see the need of CrossSubdomainSessionValve any more now, as tomcat
since version 6.0.27 supports configuring domain for session cookies in
"Context".
We can use the StandardContext to set the sessionCookieDomain.
With that said, there were two approaches two acheive this
1. Use the standard cookie.domain in url.properties to set to
sessionCookieDomain when enable-cross-subdomain-sessions is set to true. which
i think is self explanatory
2. Allow the configuration of cookie domain via webapp info defined in
ofbiz-component.xml(which is actually the Context used by tomcat). However i am
not able to find a relevant context to support this, but seems a possibility
Please let me know your thoughts
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
