Bug #1130


JEE session IDs should be part of the query string

Added by Anonymous over 16 years ago. Updated almost 15 years ago.

Target version:


Lighttpd should treat the semicolon as a query string separator. JEE severs usually use something like `;jsessionid=ABCDEFGHIJKLMN`

-- johann


lighttpd_query_string.diff (1.5 KB) lighttpd_query_string.diff Patch to make JEE session IDs part of the query string. -- johann Anonymous, 2007-04-21 06:58
Actions #1

Updated by darix over 16 years ago

hmm afaik the ";" should be equivalent to the "&" and not the "?" ... so why does it matter if lighty sees the ";" or not?

Actions #2

Updated by Anonymous over 16 years ago

Because a request URI `/bla.jsp;jsessionid=ABCDEFGHIJKLM?blorb=bla@ causes Lighttpd to search for bla.jsp;jsessionid=ABCDEFGHIJKLM instead of @bla.jsp`. And it's very likely that `bla.jsp;jsessionid=ABCDEFGHIJKLM` does not exist ;-)

-- johann

Actions #3

Updated by darix over 16 years ago

this url "/bla.jsp;jsessionid=ABCDEFGHIJKLM?blorb=bla" is wrong imho.
shouldnt it be "/bla.jsp?jsessionid=ABCDEFGHIJKLM;blorb=bla".

i follow the php docs in this case. so i might be wrong. but i never saw ";" as replacement for "?".

do you have any docs that show us the ";" as replacment for "?"?

Actions #4

Updated by darix over 16 years ago

  • Status changed from New to Fixed
  • Resolution set to wontfix

seems to prove my understanding. closing as invalid.

Actions #5

Updated by Anonymous over 16 years ago

  • Status changed from Fixed to Need Feedback
  • Resolution deleted (wontfix)

JEE servers such as Tomcat or Orion generate the URIs mentioned above. By closing this bug you make it impossible to use Lighttpd unpatched with these servers (of which at least Tomcat is very popular in enterprises). Please see the Orion site for example URLs.

-- johann

Actions #6

Updated by darix over 16 years ago

1. i asked my friends from the java side if they have hit those kind of urls so far. and they said no. and from the docs it seems that your urls are invalid anyway. last but not least. you can disable the "check-local" than lighty would directly dispatch the request to the backend without even checking if the file exists. that said ... it should still be possible to use tomcat and stuff.

Actions #7

Updated by jwmcglynn over 16 years ago

Sadly a semicolon is used to separate the path from the query string, take a look at this Google search:

I checked the RFCs and can't find anything that allows it to be used this way.

Actions #8

Updated by darix over 16 years ago
3. URI Syntactic Components
"""... This "generic URI" syntax consists of a sequence of four main components:

and later
"""3.4. Query Component

The query component is a string of information to be interpreted by
the resource.
query         = *uric
Within a query component, the characters ";", "/", "?", ":", "@",
"&", "=", "+", ",", and "$" are reserved."""
Actions #9

Updated by moo over 16 years ago

try to use check-local, rewrite etc

Actions #10

Updated by Anonymous almost 16 years ago

Hello, my name is car esarches. I found super site wuth: Gratz!.

-- car esarches

Actions #11

Updated by Anonymous over 15 years ago

FWIW, an older URI RFC allowed semicolons to be used for parameters on path components instead of on the query itself.

-- luke-jr+lighttpd

Actions #12

Updated by stbuehler almost 15 years ago

  • Status changed from Need Feedback to Invalid
  • Patch available set to No

Then rewrite your urls if you have to. lightys behaviour is rfc-conform in this case, so there is nothing wrong.


Also available in: Atom