Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

JSessionID in Tomcat  RSS feed

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it possible to replace semicolon ';' with another delimeter in Jessionid in the URL.
We are using URL tracking for session handling to support multi tab session management (each tab should behave as unique session's)





 
Saloon Keeper
Posts: 5043
134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do you want to do this?
 
Bartender
Posts: 19988
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Raju!

The jsessionid in the URL only appears when URL rewriting is done. The preferred mechanism for transferring jsessionid is in a cookie.

And you would have to not only modify the URL parsing of the Tomcat server, but also the URL rewriting.

But you should not be manipulating the sessionID yourself at all.

The sessionID belongs to the appserver (Tomcat), not the webapp. It is a randomly-generated hash key that allows Tomcat to find the right HttpSession from its collection of sessions as part of the process of dispatching an incoming HTTP(s) request.

And Tomcat can change that key without notice at any time. And will. In particular, it will do so when you shift from http to https because not to do so would be a security problem.

So a jessionId should never be cached or modified. Instead, it is continuously passed from server to client and back from client to server with each subsequent URL request. That is true whether the jsessionid is part of the URL or in a cookie within the request.

Your real issue is on the client side. The off-the street clients (Internet Explorer, FireFox, Opera, Safari, etc. don't have the ability to juggle multiple sessions with one server. HTTP is not a continuous-connection protocol, where each tab could open a separate connection. If it was, jsessionID wouldn't even be necessary. Instead, HTTP opens and closes a connection for each URL request, The jsessionID is simply the way that these unconnected requests can be associated with each other and with server-side data storage for that web client.
 
raju ayyappan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
WE are facing issue when redirection from external payment gateway
We use successURL and failureURL for redirection back to our website from payment gateway.

in Both cases we append jsession in the URL when submitting to payment gatay.

After successfull payment processing The payment gate way is not able to process the Re-direction URL due to the presence of special charactor semicolon ";" in the URLS
ie) due to security issues payment gateway dosent support url with special chars.

so payment gateway is not able to redirect back to the origin caller website.

Sample URL used for redirection.
SuccessURL=https://localhost/reservation/ibe/bankTransfer/sofort;jsessionid=sessionid?Response=PROCESSING


FailureURL=https://localhost/reservation/ibe/bankTransfer/sofort;jsessionid=sessionid?Response=FAILED

we append jsessionid dynamically in url in order to retain the correct session.

 
raju ayyappan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hope ;jsessionid is as standard format genarated by tomcat container to manage sessions for url re-writing.
does tomcat has an option to over ride ";jsessionid=" with "#jsessionid=" or any other delimeter in the URL
 
Tim Moores
Saloon Keeper
Posts: 5043
134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you append the session ID to the URL for some other web site? It has no value there (and should not be sent anywhere else anyway).

A semi-colon is not a special character in an URL, by the way - the failure of an URL processor to handle it should be considered a bug.
 
Tim Holloway
Bartender
Posts: 19988
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I recall, the usual behaviour of a payment gateway involves sending the payment request to the gateway along with a return URL(s). The payment gateway runs on a foreign web application, so it needs that URL to return back to the app. And to tell the app whether the payment was accepted or not. That isolates the money-handling process from the regular application, making it harder to exploit possible app weaknesses to know or access payors and payees accounts directly.

However, RFC 3986 defines what is and isn't valid in a URL, not some genius who thinks that they know what's secure and what isn't. Section 2.2 defines the characters that have special meaning to URLs, and that does include the semicolon character. Also see section 3.3 for information specifically about use of the semicolon in a URL.

Any gateway worth the price should be capable of dealing with that.

I should note that the sessionID is itself secure information, and when you're talking to a payment gateway, you should have already shifted into an SSL/TLS communications mode, meaning that Tomcat will have changed the sessionID at least once already. Indeed, you should enter SSL at a minimum when you first start a shopping process, even before you create a session.
 
raju ayyappan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
many thanks.

To Summarize Payment  gateway Team to change their security setting to handle return URL irrespective of special characters in the URL

Also just to understand, Do tomcat have a config/settings where we can override semicolon ";" in the below url with ":" or custom delimiter
ie whenever I hit my application the jsessionid in the url should be followed by colon ":" instead of semicolon ";"

https://localhost/welcomepage:jsessionid=ABCDEFGHIJK

 
Tim Moores
Saloon Keeper
Posts: 5043
134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No
 
Tim Holloway
Bartender
Posts: 19988
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No.

Also, the colon character has its own special meanings for a URL.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!