[NXP-16398] Review jsessionid management in URL system - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 6.0
Fix Version/s: 7.10-HF43, 8.10-HF33, 9.10-HF12, 10.2
Component/s: Seam / JSF UI

Release Notes Summary:
Tomcat can be configured to enable session cookie tracking.
Tags:
Backlog priority:
800
Upgrade notes:
Hide

Since 10.2, Tomcat is configured by default with the COOKIE session tracking mode.
This prevents Tomcat from appending jsessionid to the URLs, for example a file download URL.

In 10.2 and later, to disable the COOKIE tracking mode and keep Tomcat's out of the box configuration, set the following property in nuxeo.conf:

session.config.tracking.mode.cookie=false

In 9.10-HF12, 8.10-HF33 and 7.10-HF43, the previous behavior is kept.
The new behavior can be enabled by setting

session.config.tracking.mode.cookie=true

Session tracking mode implications

If the COOKIE mode is:

enabled: the jsessionid parameter will never be appended to the URLs. Yet, cookies need to be enabled in the brower.

disabled: the jsessionid parameter might be appended to some URLs, for instance when sharing a document permalink to an anonymous user or when clearing the browser's cookies. Yet, cookies don't need to be enabled in the browser.
Show
Since 10.2, Tomcat is configured by default with the COOKIE session tracking mode. This prevents Tomcat from appending jsessionid to the URLs, for example a file download URL. In 10.2 and later, to disable the COOKIE tracking mode and keep Tomcat's out of the box configuration, set the following property in nuxeo.conf : session.config.tracking.mode.cookie= false In 9.10-HF12, 8.10-HF33 and 7.10-HF43, the previous behavior is kept. The new behavior can be enabled by setting session.config.tracking.mode.cookie= true Session tracking mode implications If the COOKIE mode is: enabled : the jsessionid parameter will never be appended to the URLs. Yet, cookies need to be enabled in the brower. disabled : the jsessionid parameter might be appended to some URLs, for instance when sharing a document permalink to an anonymous user or when clearing the browser's cookies. Yet, cookies don't need to be enabled in the browser.
Sprint:
nxfit 10.2.7, nxfit 10.2.8, nxfit 10.2.9
Story Points:
5

Description

There are several places where a jsessionid element in the URL has to be removed explicitely to avoid interfering with codec parsing logics.

This should be reviewed more globally to avoid this specific use cases (list still to be done)

Attachments

Issue Links

is related to

NXP-7252 JSESSIONID retrieval should be more robust when there is no cookie

Resolved

is required by

NXP-10681 Fix not found url when navigating with a jsessionid on style guide

Resolved

NXP-13430 Fix not found URL when navigating with a jsessionid

Resolved

NXP-23845 Always remove the jsessionid parameter from the downloaded file name

Resolved

NXP-25013 Always remove the jsessionid parameter from the downloaded file name

Resolved

NXP-16217 Perform field constraints validation on JSF forms

Resolved

NXP-15765 Use HTTP session before cookies to extract the session id

Resolved

(2 is required by)

Activity

People

Assignee:

Antoine Taillefer

Reporter:

Anahide Tchertchian

Participants:

Anahide Tchertchian, Antoine Taillefer, Jenkins

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2015-01-23 10:17

Updated:

2018-07-16 16:42

Resolved:

2018-07-05 09:46

Time Tracking

Estimated:

Remaining:

Logged:

2d 1h