Chris, >As for your image URLs failing due to those path parameters... why are >they failing? Which component is generating those HTTP 500 responses?
I did some more investigation and my app would not display the image with the ; http://www.myapp.co.uk/images/image_32x32.png;jsessionid=52FC7E289A9BDAB18ABBBE7D1C5CC85A 26-Apr-2018 15:16:43.356 SEVERE [ajp-nio-8009-exec-2] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";" at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265) at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245) Something in spring security blocking the ; in the URL. I will go back to 8.5.x to see if I still get the ;jsession on the URL's, my thinking is probably always did have the jsessionid but they were not blocked by spring security. Cheers Greg On 26 April 2018 at 14:11, Christopher Schultz <ch...@christopherschultz.net > wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Greg, > > On 4/26/18 4:53 AM, Greg Huber wrote: > > Hello, > > > > One thing I have noticed with Tomcat 9.0.x I get alot > > ;jsessionid=xxx appended to my urls. This did not happen with > > 8.5.x. > > > > /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB > > > > 500 Internal Server Error /images/image_32x32.png;jsessionid= ... > > 23784378307846F: 1 Time(s) /images/image_32x32.png;jsessionid= ... > > 85D9B02C5A030FF: 1 Time(s) > > > > > >> From previous experience this happens when there is no session. > >> I use > > struts and have used encode="false" on the tags to prevent this: > > > > <s:url value="/" encode="false" /> > > > > Also I have used (in the past) <%@ page session="false" %> but > > have commented this out as it causes down stream problems for me. > > > > Would there be a reason why these has now started happening on 9? > > I'm not sure about why Tomcat 9 specifically might be doing this if > Tomcat <9 didn't, but this happens when: > > 1. An unauthenticated user makes a request > 2. There was no session-id in the request > 3. The server decided to create a session > 4. The server can't prove that cookies are supported by the client > > When all those things happen, all URLs (when "encoded") should contain > ";jsessionid=" path parameters because the client might not accept the > Set-Cookie response header. > > You can explicitly disable URL-based session-tracking if you'd like in > WEB-INF/web.xml: > > <session-config> > <tracking-mode>COOKIE</tracking-mode> > </session-config> > > This will of course require cookies. I'm not sure if that's okay for you > . > > As for your image URLs failing due to those path parameters... why are > they failing? Which component is generating those HTTP 500 responses? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrh0AMACgkQHPApP6U8 > pFgxbw//dyJKCTcfaHSIsFWC1VbPbe3glKZhq9iKROiJZohtc4+muXL00uwNA7tv > SyX9B2WcknHInEO1jmN0aXdiTs8mri1iqJsLYyomwCWsyMlD0Ekkwk8C6BHdHVbv > HExzFmQ0sChs6X37SYUpdbW8LMe/9g8aGgY4EbpTT7jzMk6cq+iXqLIpQEpbCFLX > VnBY+8HJtKN7Asernrb44ZVrHhdVAv+jT8CcNMw96K2sMKm1fXYXqI1WD7Gx3sDO > uQyb17mVNepK/6qnaJ6F6a3Rzmwf1+CDzi+LRtpX39/8ebkT1gC+8dpFZ2wrOb7P > n1Gx+fEhoYS6g2F+ytcpJaKVId1s5AEJCWQoF+WkWdc+XN7qR2HBPGuYX0hh7KxQ > 01+LSrN88j5GXvtFnFIzcMCrpUg1q7BVnLVVItusuDSbRJFBTt899ekYH1xfe/Vu > TVuK4K6fSZPGw3vK7JxkYK0I7mjZrNonyqjDvr2mBcwrK2u98EnhuctwLYvF9ilt > DGEb3prZHvr7cjceSJ/MAoff7OU/ZAnuCGYhRxpb1DHsVAaSMyxa3gqOMy025WHh > WviCRORP/sru1YRvd33eS1ZhEtawcTpmP7meyDSTRSBI6tf61Gmw7tIr/vnQL4YJ > Z/IaXFgjQJR57bxjG/G+/4xyDe3VB6W8V73tymC6l6mWYfwtGH4= > =xqYE > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
