Bug #1130
closedJEE session IDs should be part of the query string
Description
Lighttpd should treat the semicolon as a query string separator. JEE severs usually use something like `;jsessionid=ABCDEFGHIJKLMN`
-- johann
Files
Updated by darix over 17 years ago
hmm afaik the ";" should be equivalent to the "&" and not the "?" ... so why does it matter if lighty sees the ";" or not?
Updated by Anonymous over 17 years ago
Because a request URI `/bla.jsp;jsessionid=ABCDEFGHIJKLM?blorb=bla@ causes Lighttpd to search for bla.jsp;jsessionid=ABCDEFGHIJKLM instead of @bla.jsp`. And it's very likely that `bla.jsp;jsessionid=ABCDEFGHIJKLM` does not exist ;-)
-- johann
Updated by darix over 17 years ago
this url "/bla.jsp;jsessionid=ABCDEFGHIJKLM?blorb=bla" is wrong imho.
shouldnt it be "/bla.jsp?jsessionid=ABCDEFGHIJKLM;blorb=bla".
i follow the php docs in this case. so i might be wrong. but i never saw ";" as replacement for "?".
do you have any docs that show us the ";" as replacment for "?"?
Updated by darix over 17 years ago
- Status changed from New to Fixed
- Resolution set to wontfix
http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2
seems to prove my understanding. closing as invalid.
Updated by Anonymous over 17 years ago
- Status changed from Fixed to Need Feedback
- Resolution deleted (
wontfix)
Updated by darix over 17 years ago
1. i asked my friends from the java side if they have hit those kind of urls so far. and they said no. and from the w3.org docs it seems that your urls are invalid anyway. last but not least. you can disable the "check-local" than lighty would directly dispatch the request to the backend without even checking if the file exists. that said ... it should still be possible to use tomcat and stuff.
Updated by jwmcglynn over 17 years ago
Sadly a semicolon is used to separate the path from the query string, take a look at this Google search:
http://www.google.com/search?q=inurl:jsessionid%3D&hl=en
I checked the RFCs and can't find anything that allows it to be used this way.
Updated by darix over 17 years ago
http://www.ietf.org/rfc/rfc2396.txt
3. URI Syntactic Components
"""... This "generic URI" syntax consists of a sequence of four main components:
<scheme>://<authority><path>?<query>"""
and later
"""3.4. Query Component
The query component is a string of information to be interpreted by
the resource.query = *uricWithin a query component, the characters ";", "/", "?", ":", "@",
"&", "=", "+", ",", and "$" are reserved."""Updated by Anonymous about 17 years ago
Hello, my name is car esarches. I found super site wuth:
http://payloan.t35.com/payday-loan-290.htmlhttp://payloan.t35.com/payday-loan-418.htmlhttp://payloan.t35.com/payday-loan-198.html Gratz!.
<URLsWithURL>
-- car esarches
Updated by Anonymous over 16 years ago
FWIW, an older URI RFC allowed semicolons to be used for parameters on path components instead of on the query itself.
-- luke-jr+lighttpd
Updated by stbuehler about 16 years ago
- Status changed from Need Feedback to Invalid
- Patch available set to No
Then rewrite your urls if you have to. lightys behaviour is rfc-conform in this case, so there is nothing wrong.
Also available in: Atom