Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 364814

Summary:	Jetty adds ;jsessionid= to external redirects
Product:	[RT] Jetty	Reporter:	Ali S <ali.sakebi>
Component:	server	Assignee:	Greg Wilkins <gregw>
Status:	CLOSED INVALID	QA Contact:
Severity:	normal
Priority:	P3	CC:	jetty-inbox
Version:	7.5.4
Target Milestone:	7.5.x
Hardware:	PC
OS:	Linux
Whiteboard:

Description Ali S

2011-11-25 05:48:03 EST

Clear browser cookies.

Create a jsp file with following lines:
<%
response.sendRedirect("http://external-url.com/");
return;
%>

Open it in browser, you will be redirected to:
http://external-url.com/;jsessionid=...


Inside my pom.xml:

    <build>
        <plugins>
            <plugin>
                <groupId>org.mortbay.jetty</groupId>
                <artifactId>jetty-maven-plugin</artifactId>
                <version>8.0.4.v20111024</version>
                <configuration>
                    <reload>manual</reload>
                    <webAppConfig>
                        <contextPath>/</contextPath>
                    </webAppConfig>
                </configuration>
            </plugin>
        </plugins>
    </build>

    <dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet.jsp</groupId>
            <artifactId>jsp-api</artifactId>
            <version>2.1</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>    <build>
        <plugins>
            <plugin>
                <groupId>org.mortbay.jetty</groupId>
                <artifactId>jetty-maven-plugin</artifactId>
                <version>7.5.4.v20111024</version>
                <configuration>
                    <reload>manual</reload>
                    <webAppConfig>
                        <contextPath>/</contextPath>
                    </webAppConfig>
                </configuration>
            </plugin>
        </plugins>
    </build>

    <dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet.jsp</groupId>
            <artifactId>jsp-api</artifactId>
            <version>2.1</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>

Comment 1 Ali S

2011-11-25 05:50:35 EST

I have included two pom.xml by mistake, 7.5.4.v20111024 is correct.

(I was testing newer version too).

Comment 2 Greg Wilkins

2011-11-27 16:28:15 EST

There is an option on SessionManager to turn on remote URL checking.

AbstractSessionManager#setCheckingRemoteSessionIdEncoding

Have a look at the deployment of the test webapp in the distro to see how options can be set on the session manager.

The test for non-remote is request.getServerName().equalsIgnoreCase(uri.getHost), which is probably less than perfect.  If this does not work for you, then please open another bugzilla and describe how you determine what is local/remote.