This is a bug in GlassFish.
Currently, the impl of HttpServletResponse.encodeURL() suppresses adding a jsessionid to its url argument only if the corresponding session was resumed from a cookie, but it does not consider the case where the session was newly generated. In the latter case, the jsessionid will be appended to the url argument unconditionally, even if the webapp supports cookies (meaning the newly generated jsessionid has already been added to the response as a cookie).
The diffs below (generated against the GlassFish V2U1 codebase) should fix the issue. Let me know if you prefer that I send you the patch in form of a class file (inside a JAR) instead, so you can test it.
In the meantime, I am going to file a bug in the GlassFish issue tracker.
Following are the diffs:
Index: CoyoteResponse.java
===================================================================
RCS file: /cvs/glassfish/appserv-webtier/src/java/org/apache/coyote/tomcat5/CoyoteResponse.java,v
retrieving revision 1.22.8.1
diff -u -r1.22.8.1 CoyoteResponse.java
--- CoyoteResponse.java 30 Oct 2007 00:17:09 -0000 1.22.8.1
+++ CoyoteResponse.java 5 Jan 2008 00:29:27 -0000
@@ -1486,8 +1486,10 @@
final Session session = hreq.getSessionInternal(false);
if (session == null)
return (false);
- if (hreq.isRequestedSessionIdFromCookie())
+ if (hreq.isRequestedSessionIdFromCookie() ||
+ (getContext() != null && getContext().getCookies())) {
return (false);
+ }
if (SecurityUtil.isPackageProtectionEnabled()) {
return ((Boolean)
Thanks,
Jan
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=252318