[MAGNOLIA-4911] Sticky "jsessionid" URL parameter causes 404 right after login Created: 04/Mar/13  Updated: 02/Sep/14  Resolved: 27/Jun/13

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: 5.0

Type: Bug Priority: Blocker
Reporter: Andreas Weder Assignee: Daniel Lipp
Resolution: Fixed Votes: 0
Labels: alpha3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Device: Firefox 19.0, Mac OS X 10.8.2
Build: magnolia_bundle-stable #14


Attachments: PNG File Login - sticky jsession param.png    
Issue Links:
causality
is causing MAGNOLIA-5356 Web.xml uses 2.5 and 3.0 features but... Closed
relation
is related to MGNLUI-641 JS missing with Tomcat Closed
is related to MAGNOLIA-5382 Handling of URIs and paths with path ... Closed
is related to MAGNOLIA-5728 Reconfigure bundled tomcat to avoid a... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Sometimes, if you log-in, you'll get a 404-page not found. In my quick tests, it especially happens, when you close a browser and start it again, then log into Magnolia.

In order to reproduce:
1. Use Safari on Mac OS X (I have 6.0.2 on 10.8.2)
2. Go to your local installation of M5, log in
3. Close the browser (not just the window, the entire app)
4. Open Safari again
5. Go to your Magnolia installation again using the URL http://localhost:8080/magnoliaAuthor . *Don't let Safari extend it to http://localhost:8080/magnoliaAuthor/.magnolia/admincentral*
6. Log in
7. Right after log-in, you run into the 404 described in this issue



 Comments   
Comment by Andreas Weder [ 04/Mar/13 ]

Marking this as blocker, as it leads to a very nasty demo effect.

Comment by Andreas Weder [ 04/Mar/13 ]

Attached a screen shot showing this not so convincing feature.

Comment by Daniel Lipp [ 04/Mar/13 ]

Looks like it's something to be configured: http://fralef.org/tomcat-disable-jsessionid-in-url.html

Comment by Andreas Weder [ 05/Mar/13 ]

Adding reference to a website explaining the background behind why this URL parameter is added, under what condition this happens and how you can change that in TC 6 and 7

Comment by Andreas Weder [ 05/Mar/13 ]

I can confirm the the server-config setting, suggested on the web page linked to this issue, works and the error remains reproducible. Use the setting, it doesn't show up, remove it again, it shows up again if you follow the steps mentioned here.

So far, this only happened if I explicitly used http://localhost:8080/magnolia and not when I used e.g. http://localhost:8080/magnoliaAuthor/.magnolia/admincentral (linked on the "welcome screen" available on http://localhost:8080) or http://localhost:8080/magnoliaAuthor/.magnolia/admincentral#shell:applauncher:; (shown in the Apps screen after login).

Comment by Daniel Lipp [ 20/Mar/13 ]

See http://git.magnolia-cms.com/gitweb?p=ce-bundle.git;a=commitdiff;h=936ceae95ce58fcb2b896e3a39bd849a72b9e4f0 - I had used the old & wrong issue no MGNLUI-791 when committing.

Comment by Daniel Lipp [ 27/Jun/13 ]

reopening to be able to set proper resolution

Comment by Daniel Lipp [ 27/Jun/13 ]

had been fixed and reviewed long time ago - now just set proper resolution

Comment by Tobias Mattsson [ 03/Oct/13 ]

The real problem is in info.magnolia.cms.filters.Mapping#findMatcher where it matches using the uri taken either from AggregationState or HttpServletRequest.getRequestURI(). Both contains the path parameter JSESSIONID and should be ignored but isn't. It could be argued that it should have been stripped already in ContentTypeFilter where the aggregation state is populated. See also MAGNOLIA-3841

Comment by Lars Fischer [ 02/Sep/14 ]

The link seems to have changed

https://fralef.me/tomcat-disable-jsessionid-in-url.html

Generated at Mon Feb 12 04:00:13 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.