This week's book giveaways are in the Cloud and AI/ML forums.
We're giving away four copies each of Cloud Native Patterns and Natural Language Processing and have the authors on-line!
See this thread and this one for details.
Win a copy of Cloud Native PatternsE this week in the Cloud forum
or Natural Language Processing in the AI/ML forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

JSessionID in Tomcat

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it possible to replace semicolon ';' with another delimeter in Jessionid in the URL.
We are using URL tracking for session handling to support multi tab session management (each tab should behave as unique session's)





 
Saloon Keeper
Posts: 5698
144
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do you want to do this?
 
Bartender
Posts: 20920
127
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Raju!

The jsessionid in the URL only appears when URL rewriting is done. The preferred mechanism for transferring jsessionid is in a cookie.

And you would have to not only modify the URL parsing of the Tomcat server, but also the URL rewriting.

But you should not be manipulating the sessionID yourself at all.

The sessionID belongs to the appserver (Tomcat), not the webapp. It is a randomly-generated hash key that allows Tomcat to find the right HttpSession from its collection of sessions as part of the process of dispatching an incoming HTTP(s) request.

And Tomcat can change that key without notice at any time. And will. In particular, it will do so when you shift from http to https because not to do so would be a security problem.

So a jessionId should never be cached or modified. Instead, it is continuously passed from server to client and back from client to server with each subsequent URL request. That is true whether the jsessionid is part of the URL or in a cookie within the request.

Your real issue is on the client side. The off-the street clients (Internet Explorer, FireFox, Opera, Safari, etc. don't have the ability to juggle multiple sessions with one server. HTTP is not a continuous-connection protocol, where each tab could open a separate connection. If it was, jsessionID wouldn't even be necessary. Instead, HTTP opens and closes a connection for each URL request, The jsessionID is simply the way that these unconnected requests can be associated with each other and with server-side data storage for that web client.
 
raju ayyappan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
WE are facing issue when redirection from external payment gateway
We use successURL and failureURL for redirection back to our website from payment gateway.

in Both cases we append jsession in the URL when submitting to payment gatay.

After successfull payment processing The payment gate way is not able to process the Re-direction URL due to the presence of special charactor semicolon ";" in the URLS
ie) due to security issues payment gateway dosent support url with special chars.

so payment gateway is not able to redirect back to the origin caller website.

Sample URL used for redirection.
SuccessURL=https://localhost/reservation/ibe/bankTransfer/sofort;jsessionid=sessionid?Response=PROCESSING


FailureURL=https://localhost/reservation/ibe/bankTransfer/sofort;jsessionid=sessionid?Response=FAILED

we append jsessionid dynamically in url in order to retain the correct session.

 
raju ayyappan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hope ;jsessionid is as standard format genarated by tomcat container to manage sessions for url re-writing.
does tomcat has an option to over ride ";jsessionid=" with "#jsessionid=" or any other delimeter in the URL
 
Tim Moores
Saloon Keeper
Posts: 5698
144
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you append the session ID to the URL for some other web site? It has no value there (and should not be sent anywhere else anyway).

A semi-colon is not a special character in an URL, by the way - the failure of an URL processor to handle it should be considered a bug.
 
Tim Holloway
Bartender
Posts: 20920
127
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I recall, the usual behaviour of a payment gateway involves sending the payment request to the gateway along with a return URL(s). The payment gateway runs on a foreign web application, so it needs that URL to return back to the app. And to tell the app whether the payment was accepted or not. That isolates the money-handling process from the regular application, making it harder to exploit possible app weaknesses to know or access payors and payees accounts directly.

However, RFC 3986 defines what is and isn't valid in a URL, not some genius who thinks that they know what's secure and what isn't. Section 2.2 defines the characters that have special meaning to URLs, and that does include the semicolon character. Also see section 3.3 for information specifically about use of the semicolon in a URL.

Any gateway worth the price should be capable of dealing with that.

I should note that the sessionID is itself secure information, and when you're talking to a payment gateway, you should have already shifted into an SSL/TLS communications mode, meaning that Tomcat will have changed the sessionID at least once already. Indeed, you should enter SSL at a minimum when you first start a shopping process, even before you create a session.
 
raju ayyappan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
many thanks.

To Summarize Payment  gateway Team to change their security setting to handle return URL irrespective of special characters in the URL

Also just to understand, Do tomcat have a config/settings where we can override semicolon ";" in the below url with ":" or custom delimiter
ie whenever I hit my application the jsessionid in the url should be followed by colon ":" instead of semicolon ";"

https://localhost/welcomepage:jsessionid=ABCDEFGHIJK

 
Tim Moores
Saloon Keeper
Posts: 5698
144
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No
 
Tim Holloway
Bartender
Posts: 20920
127
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No.

Also, the colon character has its own special meanings for a URL.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!