From e49463892bd694f1c2acbac0e4a1ada0a30d4e84 Mon Sep 17 00:00:00 2001 From: markt Date: Mon, 9 May 2011 15:39:34 +0000 Subject: [PATCH] Make adding the trailing slash to the session cookie path configurable git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1101069 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/Context.java | 24 ++++++++++++++++++++++ .../core/ApplicationSessionCookieConfig.java | 20 ++++++++++++------ java/org/apache/catalina/core/StandardContext.java | 22 ++++++++++++++++++++ webapps/docs/config/context.xml | 12 +++++++++++ 4 files changed, 72 insertions(+), 6 deletions(-) diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java index 90473d5ed..1a4e124b1 100644 --- a/java/org/apache/catalina/Context.java +++ b/java/org/apache/catalina/Context.java @@ -299,6 +299,30 @@ public interface Context extends Container { /** + * Is a / added to the end of the session cookie path to ensure browsers, + * particularly IE, don't send a session cookie for context /foo with + * requests intended for context /foobar. + * + * @return true if the slash is added, otherwise + * false + */ + public boolean getSessionCookiePathUsesTrailingSlash(); + + + /** + * Configures if a / is added to the end of the session cookie path to + * ensure browsers, particularly IE, don't send a session cookie for context + * /foo with requests intended for context /foobar. + * + * @param sessionCookiePathUsesTrailingSlash true if the + * slash is should be added, + * otherwise false + */ + public void setSessionCookiePathUsesTrailingSlash( + boolean sessionCookiePathUsesTrailingSlash); + + + /** * Return the "allow crossing servlet contexts" flag. */ public boolean getCrossContext(); diff --git a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java index c4543a3f1..af6607a5a 100644 --- a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java +++ b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java @@ -156,12 +156,20 @@ public class ApplicationSessionCookieConfig implements SessionCookieConfig { if (contextPath == null || contextPath.length() == 0) { contextPath = context.getEncodedPath(); } - // Handle special case of ROOT context where cookies require a path of - // '/' but the servlet spec uses an empty string - // Also ensure the cookies for a context with a path of /foo don't get - // sent for requests with a path of /foobar - if (!contextPath.endsWith("/")) { - contextPath = contextPath + "/"; + if (context.getSessionCookiePathUsesTrailingSlash()) { + // Handle special case of ROOT context where cookies require a path of + // '/' but the servlet spec uses an empty string + // Also ensure the cookies for a context with a path of /foo don't get + // sent for requests with a path of /foobar + if (!contextPath.endsWith("/")) { + contextPath = contextPath + "/"; + } + } else { + // Only handle special case of ROOT context where cookies require a + // path of '/' but the servlet spec uses an empty string + if (contextPath.length() == 0) { + contextPath = "/"; + } } cookie.setPath(contextPath); diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java index ed9869e41..b28582003 100644 --- a/java/org/apache/catalina/core/StandardContext.java +++ b/java/org/apache/catalina/core/StandardContext.java @@ -771,6 +771,14 @@ public class StandardContext extends ContainerBase /** + * Is a / added to the end of the session cookie path to ensure browsers, + * particularly IE, don't send a session cookie for context /foo with + * requests intended for context /foobar. + */ + private boolean sessionCookiePathUsesTrailingSlash = true; + + + /** * The Jar scanner to use to search for Jars that might contain * configuration information such as TLDs or web-fragment.xml files. */ @@ -1638,6 +1646,20 @@ public class StandardContext extends ContainerBase } + @Override + public boolean getSessionCookiePathUsesTrailingSlash() { + return sessionCookiePathUsesTrailingSlash; + } + + + @Override + public void setSessionCookiePathUsesTrailingSlash( + boolean sessionCookiePathUsesTrailingSlash) { + this.sessionCookiePathUsesTrailingSlash = + sessionCookiePathUsesTrailingSlash; + } + + /** * Return the "allow crossing servlet contexts" flag. */ diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml index 28bb96d1f..072915a16 100644 --- a/webapps/docs/config/context.xml +++ b/webapps/docs/config/context.xml @@ -385,6 +385,18 @@ file.

+ +

Some browsers, such as IE, will send a session cookie for a context + with a path of /foo with a request to /foobar. To prevent this, Tomcat + will add a trailing slash to the path associated with the session cookie + so, in the above example, the cookie path becomes /foo/. However, with a + cookie path of /foo/, IE will no longer send the cookie with a request + to /foo. This should not be a problem unless there is a servlet mapped + to /*. In this case this feature will need to be disabled. The default + value for this attribute is true. To disable this feature, + set the attribute to false.

+ +

Set to false if Tomcat should not read any additional request body data for aborted uploads and instead abort the client connection. -- 2.11.0