Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 368060 - HttpServletResponse sendRedirect should not encode jsessionid into the URL
Summary: HttpServletResponse sendRedirect should not encode jsessionid into the URL
Status: RESOLVED FIXED
Alias: None
Product: Jetty
Classification: RT
Component: server (show other bugs)
Version: 8.0.4   Edit
Hardware: All All
: P3 major (vote)
Target Milestone: 7.5.x   Edit
Assignee: Greg Wilkins CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-06 16:12 EST by Igor Malinin CLA
Modified: 2012-01-12 01:01 EST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Igor Malinin CLA 2012-01-06 16:12:02 EST
Build Identifier: 8.0.4.v20111024

The org.eclipse.jetty.server.Response.sendRedirect() should not call encodeRedirectURL().

This is a violation of Servlet spec. that requires user of the Servlet API to call encodeRedirectURL explicitly before calling sendRedirect().

This becomes really annoying when you do something like this:

response.sendRedirect("https://www.google.com/accounts/o8/ud")
and it redirects to
https://www.google.com/accounts/o8/ud;jsessionid=_the_url_is_broken_

Please remove the line containing "location=encodeRedirectURL(location);" from the sendRedirect method!

Reproducible: Always

Steps to Reproduce:
In request with a cookie-less session call
response.sendRedirect("https://www.google.com/accounts/o8/ud")
or use any other URL...
Comment 1 Greg Wilkins CLA 2012-01-10 20:23:24 EST
I'm sure that previously somebody convinced me that sendRedirect should do the encode.... but I can't re-convince myself of that.  

so fixing for 7.6 and 8.1
Comment 2 Jan Bartel CLA 2012-01-12 01:01:35 EST
Greg,

I think it was this issue where we put the jsessionid encoding onto the sendRedirect:

http://jira.codehaus.org/browse/JETTY-1146

It seems that the JSF framework is/was NOT calling encodeRedirectUrl before calling sendRedirect ....

Jan