Details
-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
1.1.3.Final, 1.2.0.Final
-
None
Description
Looking at the code of remove_session_route (and trying it) i saw that URLs lke this one
/test.jsp;jsessionid=1233454532432342.NODE01
/test.jsp;jsessionid=1233454532432342.NODE01?p1=v1&p2=v2
/test.jsp;jsessionid=1233454532432342.NODE01;otherparam=value
are not correctly parsed and the session id is not removed.
To note that it seems the code handles jsessionid as url parameter and not as URL "path parameter" (see for isntance http://doriantaylor.com/policy/http-url-path-parameter-syntax).
This is for instance a piece of tomcat code that does something like what remove_session_route should do (at least in the URL part):
/** * Strips a servlet session ID from <tt>url</tt>. The session ID * is encoded as a URL "path parameter" beginning with "jsessionid=". * We thus remove anything we find between ";jsessionid=" (inclusive) * and either EOS or a subsequent ';' (exclusive). * * taken from org.apache.taglibs.standard.tag.common.core.ImportSupport */ public static String stripSession(String url) { StringBuffer u = new StringBuffer(url); int sessionStart; while ((sessionStart = u.toString().indexOf(";jsessionid=")) != -1) { int sessionEnd = u.toString().indexOf(";", sessionStart + 1); if (sessionEnd == -1) sessionEnd = u.toString().indexOf("?", sessionStart + 1); if (sessionEnd == -1) // still sessionEnd = u.length(); u.delete(sessionStart, sessionEnd); } return u.toString(); }