2015-07-21 14:38 GMT+03:00 Rahul Kumar Singh <[email protected]>: > Hello Tomcat Team, > > “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL > "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > is not received in tomcat 6(V6.0.28) . It is received in tomcat 7(V7.0.54) . > What is reason for the different behavior? > > I used WGET command to send same request to both version of tomcats. Access > logs (logs/localhost_access_log.txt ) of both tomcat versions show the > difference > > > WGET REQUEST: > wget "localhost:8080/login. jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B" > . > > > Observations: > TOMCAT 7.0.54 ACCESS LOGS: > 127.0.0.1 - - [21/Jul/2015:08:30:13 +0000] "GET > /login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B HTTP/1.0" 200 1063 > > > -----Original Message----- > From: Rahul Kumar Singh > Sent: Tuesday, June 23, 2015 6:17 PM > To: 'Tomcat Users List' > Subject: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. > > Hello Tomcat team, > > In Tomcat7.0.54 We have observe that Login URL is Appended with JSESSIONID > parameter in our Web Application > Example: > /framework/login.action;jsessionid=098D3C84B56FF2A2A25E88E4F059A20B > > System Configuration (WINDOW7+IE-8) > > Due to this session authentication get failed. >
1. Step by step recipe to reproduce your issue = ? 2. 6.0.28 is old. The current one is 6.0.44 3. http://tomcat.apache.org/security-6.html CVE-2013-2067 ? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
