Project

General

Profile

Bug #1130

JEE session IDs should be part of the query string

Added by Anonymous over 12 years ago. Updated almost 11 years ago.

Status:
Invalid
Priority:
Low
Assignee:
Category:
documentation
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Lighttpd should treat the semicolon as a query string separator. JEE severs usually use something like `;jsessionid=ABCDEFGHIJKLMN`

-- johann

lighttpd_query_string.diff (1.5 KB) lighttpd_query_string.diff Patch to make JEE session IDs part of the query string. -- johann Anonymous, 2007-04-21 06:58

History

#1

Updated by darix over 12 years ago

hmm afaik the ";" should be equivalent to the "&" and not the "?" ... so why does it matter if lighty sees the ";" or not?

#2

Updated by Anonymous over 12 years ago

Because a request URI `/bla.jsp;jsessionid=ABCDEFGHIJKLM?blorb=bla@ causes Lighttpd to search for bla.jsp;jsessionid=ABCDEFGHIJKLM instead of @bla.jsp`. And it's very likely that `bla.jsp;jsessionid=ABCDEFGHIJKLM` does not exist ;-)

-- johann

#3

Updated by darix over 12 years ago

this url "/bla.jsp;jsessionid=ABCDEFGHIJKLM?blorb=bla" is wrong imho.
shouldnt it be "/bla.jsp?jsessionid=ABCDEFGHIJKLM;blorb=bla".

i follow the php docs in this case. so i might be wrong. but i never saw ";" as replacement for "?".

do you have any docs that show us the ";" as replacment for "?"?

#4

Updated by darix over 12 years ago

  • Status changed from New to Fixed
  • Resolution set to wontfix

http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2

seems to prove my understanding. closing as invalid.

#5

Updated by Anonymous over 12 years ago

  • Status changed from Fixed to Need Feedback
  • Resolution deleted (wontfix)

JEE servers such as Tomcat or Orion generate the URIs mentioned above. By closing this bug you make it impossible to use Lighttpd unpatched with these servers (of which at least Tomcat is very popular in enterprises). Please see the Orion site for example URLs.

-- johann

#6

Updated by darix over 12 years ago

1. i asked my friends from the java side if they have hit those kind of urls so far. and they said no. and from the w3.org docs it seems that your urls are invalid anyway. last but not least. you can disable the "check-local" than lighty would directly dispatch the request to the backend without even checking if the file exists. that said ... it should still be possible to use tomcat and stuff.

#7

Updated by jwmcglynn over 12 years ago

Sadly a semicolon is used to separate the path from the query string, take a look at this Google search:

http://www.google.com/search?q=inurl:jsessionid%3D&hl=en

I checked the RFCs and can't find anything that allows it to be used this way.

#8

Updated by darix over 12 years ago

http://www.ietf.org/rfc/rfc2396.txt
3. URI Syntactic Components
"""... This "generic URI" syntax consists of a sequence of four main components:
<scheme>://<authority><path>?<query>"""

and later
"""3.4. Query Component

The query component is a string of information to be interpreted by
the resource.
query         = *uric
Within a query component, the characters ";", "/", "?", ":", "@",
"&", "=", "+", ",", and "$" are reserved."""
#9

Updated by moo over 12 years ago

try to use check-local, rewrite etc

#10

Updated by Anonymous almost 12 years ago

Hello, my name is car esarches. I found super site wuth:
http://payloan.t35.com/payday-loan-290.htmlhttp://payloan.t35.com/payday-loan-418.htmlhttp://payloan.t35.com/payday-loan-198.html Gratz!.
<URLsWithURL>

-- car esarches

#11

Updated by Anonymous over 11 years ago

FWIW, an older URI RFC allowed semicolons to be used for parameters on path components instead of on the query itself.

-- luke-jr+lighttpd

#12

Updated by stbuehler almost 11 years ago

  • Status changed from Need Feedback to Invalid
  • Patch available set to No

Then rewrite your urls if you have to. lightys behaviour is rfc-conform in this case, so there is nothing wrong.

Also available in: Atom