7 Replies Latest reply on Jan 13, 2014 7:27 AM by daniell

    Malformed jsessionid during redirect

    daniell

      I'm using Weld 1.1.16 (Final) and Mojarra 2.1.8 on JBoss-as-7.1.1.Final.

       

      If the user has cookies disabled in his browser, the jsessionid is part of the URL as page-parameter as expected. As an example, the URL of an h:commandLink (with an action) looks like follows: http://localhost:8080/app/page.jsf;jsessionid=FJXhUZ10JQDnMc7zk88rEfJX.undefined

      Clicking on the link results in a POST-request followed by a redirect to

      http://localhost:8080/app/page.jsf;jsessionid=FJXhUZ10JQDnMc7zk88rEfJX.jsf;jsessionid=FJXhUZ10JQDnMc7zk88rEfJX.undefined

      As you can see, the page-parameter jsessionid is contained twice: one ending with .jsf and the original one ending with .undefined.

      Since the first id is unknown to the server, it starts a new session showing the login-page to the user (something like http://localhost:8080/app/login.jsf;jsessionid=ooMJzeGEyzUb9TFN5aQ9-1A+.undefined).

       

      The code for the page itself is straightforward with only one h:commandLink defining some action embedded in an h:form.

       

      While debugging the problem, I found out the following:

      The redirect and the modification of the jsessionid happens in weld's ConversationPropagationFilter. During the call to sendRedirect() the FacesUrlTransformer is utilized to create the action-URL. The method toActionUrl() of the FacesUrlTransformer asks the application's viewhandler (=MultiViewHandler of jsf-impl which is wrapped by weld's ConversationAwareViewHandler).

      So when calling MultiViewHandler.getActionURL(), the passed viewId contains the jsessionid. Among other tasks, the MultiViewHandler.getActionURL() looks for the last "." in the viewId and replaces it with the registered extension (section "Deal with extension mapping" in the code). This is where .undefined gets replaced by .jsf.

       

      I think this is a bug in either the jsf-impl or weld. If the jsessionid must not be part of the viewId, it's weld's fault. If it may be part of it, the MultiViewHandle of JSF should handle this.

        • 1. Re: Malformed jsessionid during redirect
          mkouba

          Hi Daniel,

          I'm not sure whether jsessionid may be part of the viewId but in any case it seems you can get rid of ".undefined" suffix by setting your own instance-id in AS7 web subsystem. See also https://community.jboss.org/thread/201760.

          • 2. Re: Malformed jsessionid during redirect
            daniell

            Hi Martin!

             

            Thanks for your answer. I've seen, that i can set the instance-id to some value to eliminate the ".undifined"-suffix. But then, the URL contains the jsessionid with the specified instance-id as suffix. Thus instead of ".undefined" there is ".mynode" (or whatever is specified) which becomes replaced by ".jsf" and the problem still exists.

            • 3. Re: Malformed jsessionid during redirect
              mkouba

              I see. AFAIK a dot is not a reserved character and doesn't have to be encoded, i.e. "1234.undefined" is a legal session ID. So with regard to viewId question - I did not find anything relevant in the JSF spec so far.

              • 4. Re: Malformed jsessionid during redirect
                mkouba

                Perhaps FacesUrlTransformer should rather use FacesContext.getViewRoot().getViewId() to obtain the correct viewId (without the jsessionid). But I'm no JSF expert so I may be missing something...

                • 5. Re: Malformed jsessionid during redirect
                  daniell

                  Me too. 7.4.2. of the spec states that the "?" and all following characters should be removed from the viewId when looking for a navigation-outcome, but the path-parameter introduced by a ";" is not mentioned anywhere. The current behavior of getActionURL() is exactly described in section "7.5.2 Default ViewHandler Implementation" (replacement of the extension beginning from the last period-position).

                   

                  I still think that the page-parameter is not part of the view-id. When looking in the configuration-file which does the navigation, obviously the page-params cannot be part of it (otherwise a navigation-rule from-view-id could not work).

                  • 6. Re: Malformed jsessionid during redirect
                    mkouba

                    Actually ConversationPropagationFilter is deprecated and should not be registered any more. This was fixed in Weld integration code. So either switch to EAP 6.1.0 or WildFly8. See also https://issues.jboss.org/browse/WELD-1262 and https://issues.jboss.org/browse/JBPAPP6-1664.

                    • 7. Re: Malformed jsessionid during redirect
                      daniell

                      I deployed the application using EAP 6.2.0. The suffix of the JSessionID is not modified any more and it works as expected.

                       

                      For those facing the same problem and tied to the JBoss AS 7.1.1: using the PrimeFaces' p:commandLink instead of h:commandLink worked around the problem (since this makes an ajax-request).