Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-16398

Review jsessionid management in URL system

    XMLWordPrintable

    Details

    • Release Notes Summary:
      Tomcat can be configured to enable session cookie tracking.
    • Backlog priority:
      800
    • Upgrade notes:
      Hide

      Since 10.2, Tomcat is configured by default with the COOKIE session tracking mode.
      This prevents Tomcat from appending jsessionid to the URLs, for example a file download URL.

      In 10.2 and later, to disable the COOKIE tracking mode and keep Tomcat's out of the box configuration, set the following property in nuxeo.conf:

      session.config.tracking.mode.cookie=false
      

      In 9.10-HF12, 8.10-HF33 and 7.10-HF43, the previous behavior is kept.
      The new behavior can be enabled by setting

      session.config.tracking.mode.cookie=true
      

      Session tracking mode implications

      If the COOKIE mode is:

      • enabled: the jsessionid parameter will never be appended to the URLs. Yet, cookies need to be enabled in the brower.
      • disabled: the jsessionid parameter might be appended to some URLs, for instance when sharing a document permalink to an anonymous user or when clearing the browser's cookies. Yet, cookies don't need to be enabled in the browser.
      Show
      Since 10.2, Tomcat is configured by default with the COOKIE session tracking mode. This prevents Tomcat from appending jsessionid to the URLs, for example a file download URL. In 10.2 and later, to disable the COOKIE tracking mode and keep Tomcat's out of the box configuration, set the following property in nuxeo.conf : session.config.tracking.mode.cookie= false In 9.10-HF12, 8.10-HF33 and 7.10-HF43, the previous behavior is kept. The new behavior can be enabled by setting session.config.tracking.mode.cookie= true Session tracking mode implications If the COOKIE mode is: enabled : the jsessionid parameter will never be appended to the URLs. Yet, cookies need to be enabled in the brower. disabled : the jsessionid parameter might be appended to some URLs, for instance when sharing a document permalink to an anonymous user or when clearing the browser's cookies. Yet, cookies don't need to be enabled in the browser.
    • Sprint:
      nxfit 10.2.7, nxfit 10.2.8, nxfit 10.2.9
    • Story Points:
      5

      Description

      There are several places where a jsessionid element in the URL has to be removed explicitely to avoid interfering with codec parsing logics.

      This should be reviewed more globally to avoid this specific use cases (list still to be done)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 1 hour
                  2d 1h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.