Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 364814 - Jetty adds ;jsessionid= to external redirects
Summary: Jetty adds ;jsessionid= to external redirects
Status: CLOSED INVALID
Alias: None
Product: Jetty
Classification: RT
Component: server (show other bugs)
Version: 7.5.4   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: 7.5.x   Edit
Assignee: Greg Wilkins CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-25 05:48 EST by Ali S CLA
Modified: 2011-11-27 16:28 EST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ali S CLA 2011-11-25 05:48:03 EST 
Clear browser cookies.

Create a jsp file with following lines:
<%
response.sendRedirect("http://external-url.com/");
return;
%>

Open it in browser, you will be redirected to:
http://external-url.com/;jsessionid=...


Inside my pom.xml:

    <build>
        <plugins>
            <plugin>
                <groupId>org.mortbay.jetty</groupId>
                <artifactId>jetty-maven-plugin</artifactId>
                <version>8.0.4.v20111024</version>
                <configuration>
                    <reload>manual</reload>
                    <webAppConfig>
                        <contextPath>/</contextPath>
                    </webAppConfig>
                </configuration>
            </plugin>
        </plugins>
    </build>

    <dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet.jsp</groupId>
            <artifactId>jsp-api</artifactId>
            <version>2.1</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>    <build>
        <plugins>
            <plugin>
                <groupId>org.mortbay.jetty</groupId>
                <artifactId>jetty-maven-plugin</artifactId>
                <version>7.5.4.v20111024</version>
                <configuration>
                    <reload>manual</reload>
                    <webAppConfig>
                        <contextPath>/</contextPath>
                    </webAppConfig>
                </configuration>
            </plugin>
        </plugins>
    </build>

    <dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet.jsp</groupId>
            <artifactId>jsp-api</artifactId>
            <version>2.1</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>
Comment 1 Ali S CLA 2011-11-25 05:50:35 EST 
I have included two pom.xml by mistake, 7.5.4.v20111024 is correct.

(I was testing newer version too).
Comment 2 Greg Wilkins CLA 2011-11-27 16:28:15 EST 
There is an option on SessionManager to turn on remote URL checking.

AbstractSessionManager#setCheckingRemoteSessionIdEncoding

Have a look at the deployment of the test webapp in the distro to see how options can be set on the session manager.

The test for non-remote is request.getServerName().equalsIgnoreCase(uri.getHost), which is probably less than perfect.  If this does not work for you, then please open another bugzilla and describe how you determine what is local/remote.