users@glassfish.java.net

Re: Cookie handling in GlassFishv3

From: Major Péter <majorpetya_at_sch.bme.hu>
Date: Wed, 27 Jan 2010 16:18:21 +0100

As far as I see, the agent uses the getCookies method, so I can only
imagine, that this issue wasn't backported to GFv2.1.1 or there it is
solved in a completely different way...

2010-01-27 02:31 keltezéssel, Shing Wai Chan írta:
> This has been changed due to
> https://glassfish.dev.java.net/issues/show_bug.cgi?id=6875
> If the value of the cookie has special characters,
> then we will put a double-quote in the value and change cookie version
> to be equal to 1.
>
> When the browsers receive the cookie, the version info is not saved.
> And the cookie with value having a double quote is sent to the server.
> GlassFish and latest Tomcat will remove the double quote regardless of
> the cookie version.
> Therefore, when we call HttpServletRequest.getCookies(), the cookies
> values are correct.
> (It will not have any double quote.)
>
> The problem will arise if there are codes interpreting the http request
> header directly.
> In this case, the double quote will be treated as part of the cookie
> value which is problematic.
>
> If the cookie value is url encoded, there will be no double quoted added.
> The problem will go away as you noticed.
>
> Shing Wai Chan
>
>
> Jan Luehe wrote:
>> Hi Peter,
>>
>> On 01/25/10 05:44 PM, Major Péter wrote:
>>> Hi,
>>>
>>> Is it possible, that something changed in the cookie handling between
>>> GFv2 and v3? I'm experiencing some problems with my OpenSSO + Agent
>>> configurations, possibly because the cookies are in GFv3 now by default
>>> url-encoded. Is this true? If so, how can I disable this behaviour?
>>>
>>
>> You mean "session ids" [as opposed to cookies] are in GFv3 now by default
>> url-encoded", right? :)
>>
>> Yes, this is a side-effect of the fix for:
>>
>> https://glassfish.dev.java.net/issues/show_bug.cgi?id=4394
>>
>> See the comment I had added there:
>>
>> <comment>
>> Based on feedback received by the community, "enableURLRewriting"
>> needs to be supported as a property "in its own right", i.e., it must be
>> possible to set both "enableCookies" and "enableURLRewriting" to
>> "true" (or
>> "false") at the same time.
>>
>> paulcb_at_dev.java.net wrote:
>>
>> Personally I think that the way it was before was much better in
>> that the server effectively assumes the worst case (there is no cookie
>> support) and rewrites the first URL and sets a cookie. If a request
>> has a
>> cookie, then it would no longer rewrite the urls.
>>
>> See the thread at
>> http://forums.java.net/jive/thread.jspa?messageID=328588 for
>> additional details.
>>
>> By default, both "enableCookies" and "enableURLRewriting" will be
>> set to true.
>> </comment>
>>
>> Note that Servlet 3.0 adds standard support for configuring the
>> desired session tracking modes for your application. You can disable URL
>> rewriting either declaratively (in your web.xml), as follows:
>>
>> <web-app>
>> <session-config>
>> <tracking-mode>COOKIE</tracking-mode>
>> </session-config>
>> </web-app>
>>
>> OR programmatically (e.g., from a ServletContextListener), like this:
>>
>> servletContext.setSessionTrackingModes(EnumSet.of(
>> SessionTrackingMode.COOKIE));
>>
>> Hope this helps.
>>
>> Thanks,
>>
>>
>> Jan
>>
>>> Thanks.
>>>
>>> Best Regards,
>>> Peter Major