Cookie Path Problems Apache/Tomcat / Math Plugin

I tried to activate the math comment moderation plugin but
every  
single comment was flagged as spam and killed.

I spent some time analyzing this and in my particular case
the  
problem seems to be that the cookie path sent back in the
comment  
form's HTTP headers is wrong because I use mod_jk to map
the blog  
into my website.

On Tomcat, the web app runs as /blojsom, but in my website I
map it  
to /blog. I can see that the comment form sent by Tomcat
through  
mod_jk has a Set-Cookie header for the cookie path
"/blojsom", and so  
when the browser sends back the comment form to the server
at the  
externally visible location "/blog", it does not
send along the cookie.

Since there's no cookie, Tomcat/blojsom cannot tie the
incoming  
request to an existing session and the math plugin is unable
to find  
the math question or expected answer (one of which I guess
is stored  
in the session) and discards the comment.

Solutions would be to

1.) Use Apache 2.2/Tomcat 5 with the mod_proxy module which
has the  
ProxyPassReverseCookiePath option. That does exactly what I
need.
2.) Add a JSESSIONID suffix to the form's action URL


I don't have time to do 1.) right now (I run OS X 10.3 with
Apple- 
supplied Apache 1.3), and I did not find out how to do 2.)
in the  
context of a velocity template.

So my question is, what do others do about this cookie path
issue,  
and is there a way I can get at the current session id so I
could  
construct a form submission URL that includes the
;JSESSIONID=xxx part?



Cheers

-Marc





____________________________________________________________
_____
Marc Liyanage                               http://www.entropy.ch



------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Blojsom-users mailing list
Blojsom-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers

Marc-

I guess what you could do is to write a plugin that pushed
the HTTP session
ID into the context for use in a Velocity template.

package org.blojsom.plugin.common;

import org.blojsom.plugin.BlojsomPlugin;
import org.blojsom.plugin.BlojsomPluginException;
import org.blojsom.blog.BlojsomConfiguration;
import org.blojsom.blog.BlogEntry;
import org.blojsom.blog.BlogUser;

import javax.servlet.ServletConfig;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.util.Map;

public class SessionIDPlugin implements BlojsomPlugin {

    public SessionIDPlugin() {
    }

    public void init(ServletConfig servletConfig,
BlojsomConfiguration
blojsomConfiguration) throws BlojsomPluginException {
    }

    public BlogEntry[] process(HttpServletRequest
httpServletRequest,
HttpServletResponse httpServletResponse, BlogUser user, Map
context,
BlogEntry[] entries) throws BlojsomPluginException {
        HttpSession session =
httpServletRequest.getSession(true);
        
        context.put("SESSION_ID",
session.getId());
        
        return entries;
    }

    public void cleanup() throws BlojsomPluginException {
    }

    public void destroy() throws BlojsomPluginException {
    }
}

Use this plugin at the beginning of the plugin chain and
then construct the
URL with the ;JSESSIONID=$SESSION_ID

Maybe that'd work.

On 9/24/06 7:42 AM, "Marc Liyanage"
<listsentropy.ch> wrote:

> 
> I tried to activate the math comment moderation plugin
but every
> single comment was flagged as spam and killed.
> 
> I spent some time analyzing this and in my particular
case the
> problem seems to be that the cookie path sent back in
the comment
> form's HTTP headers is wrong because I use mod_jk to
map the blog
> into my website.
> 
> On Tomcat, the web app runs as /blojsom, but in my
website I map it
> to /blog. I can see that the comment form sent by
Tomcat through
> mod_jk has a Set-Cookie header for the cookie path
"/blojsom", and so
> when the browser sends back the comment form to the
server at the
> externally visible location "/blog", it
does not send along the cookie.
> 
> Since there's no cookie, Tomcat/blojsom cannot tie the
incoming
> request to an existing session and the math plugin is
unable to find
> the math question or expected answer (one of which I
guess is stored
> in the session) and discards the comment.
> 
> Solutions would be to
> 
> 1.) Use Apache 2.2/Tomcat 5 with the mod_proxy module
which has the
> ProxyPassReverseCookiePath option. That does exactly
what I need.
> 2.) Add a JSESSIONID suffix to the form's action URL
> 
> 
> I don't have time to do 1.) right now (I run OS X 10.3
with Apple-
> supplied Apache 1.3), and I did not find out how to do
2.) in the
> context of a velocity template.
> 
> So my question is, what do others do about this cookie
path issue,
> and is there a way I can get at the current session id
so I could
> construct a form submission URL that includes the
;JSESSIONID=xxx part?
> 
> 
> 
> Cheers
> 
> -Marc
> 
> 
> 
> 
> 
>
____________________________________________________________
_____
> Marc Liyanage                               http://www.entropy.ch
> 
> 
> 
>
------------------------------------------------------------
-------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get
the chance to share your
> opinions on IT & business topics through brief
surveys -- and earn cash
> http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Blojsom-users mailing list
> Blojsom-userslists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers

-- 
David Czarnecki

http://www.blojsom.com/b
log/ | http://blojsom.sf.net



------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Blojsom-users mailing list
Blojsom-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers

Hi Cliffano,

On 26.09.2006, at 11:36, Cliffano Subagio wrote:

> Hi Marc,
>
> Is your cookie problem somehow similar to this http:// 
>
blog.hasno.info/blog/segfault/2006/03/26/scode-captcha-final
ly.html ?

Interesting... I would even say it is exactly the same
problem.


> Mark G (the blog author) contacted me earlier this year
regarding  
> the issue. His fix was done on top of scode plugin, I
think it  
> would be handy if the solution can be a generic plugin
where users  
> can easily pass around the jsession id / cookie.
>
> The plugin you created might do that.

Yeah that might work. In my case, after adding the plugin to
the  
configuration and the plugin chains, I only needed one tiny
change in  
the HTML code for the comment form:

     <form id="commentform"
method="post" action=".">

became

     <form id="commentform"
method="post" action=".;jsessionid= 
$SESSION_ID">


After that, the math plugin was working. I don't know your
plugin,  
but if the user's response is also entered in a simple input
field  
inside the comment form, then I guess it would work without
changing  
anything in the SCode plugin.

David's source code worked for me unmodified.


-Marc







____________________________________________________________
_____
Marc Liyanage                               http://www.entropy.ch



------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Blojsom-users mailing list
Blojsom-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm using SCode and an Apache/Tomcat configuration (JkMount
/blojsom  
worker1). I'm not experiencing any problems, or that's what
I believe.

I'm slightly confused by the conversation because of what I
have  
always understood about the cookie spec:

  path=PATH
"The path attribute is used to specify the subset of
URLs in a domain
  for which the cookie is valid. If a cookie has already
passed domain
  matching, then the pathname component of the URL is
compared with the
  path attribute, and if there is a match, the cookie is
considered
  valid and is sent along with the URL request. The path
"/foo" would
  match "/foobar" and "/foo/bar.html".
The path "/" is the most general
  path.

"If the path is not specified, it as assumed to be the
same path as the
  document being described by the header which contains the
cookie."

I read this to mean that a path of "/" is fine, it
"covers" as  
appropriate for the domain or page, your request will send
the Cookie  
header and the application will consume it as needed. And
the `path'  
attribute is optional, though normally set by most servers.

I can demonstrate this with `curl' and the default behavior
of Tomcat  
on an initial request. Tomcat sets a JSESSIONID on the
initial  
request because it is not sure at that moment whether a
client  
supports cookies or not, so attempts to set up "URL
Rewriting" (this  
is left as an exercise for the developer to support later,
otherwise  
Tomcat will just send a new JSESSIONID everytime because the
 
developer is not properly exercising caution by appending it
to the  
URL. Marty Hall says in /More Servlets and JSP/:

"If you redirect the user to another page within your
own site, you  
should
  pass the URL through the encodeURL method of
HttpServletResponse.
  Doing so is a simple precaution in case you ever use
session
  tracking based on URL-rewriting. URL-rewriting is a way to
track users
  who have cookies disabled while they are at your site. It
is  
implemented
  by adding extra path information to the end of each URL,
but the  
servlet
  session-tracking API takes care of the details
automatically."

So on to my `curl' exercise:

tstonevenus [~] % curl --head 
 > http://localhost/blojsom/default/2006/09/02/Backstory.
html 
 > --cookie /tmp/cookies
 > --cookie-jar /tmp/cookies
HTTP/1.1 200 OK
Date: Wed, 27 Sep 2006 00:17:06 GMT
Server: Apache/2.0.53 (Unix) DAV/2 mod_jk/1.2.8
ETag: "a3f8c3fe31615c4383dc632ee618c033"
Last-Modified: Sat, 02 Sep 2006 05:44:44 GMT
Set-Cookie: JSESSIONID=566CAE7190A20C6E92C3C88C224DF845;
Path=/
Content-Type: text/html;charset=UTF-8

tstonevenus [~] % curl --head 
 > http://localhost/blojsom/default/2006/09/02/Backstory.
html 
 > --cookie /tmp/cookies
 > --cookie-jar /tmp/cookies
HTTP/1.1 200 OK
Date: Wed, 27 Sep 2006 00:17:10 GMT
Server: Apache/2.0.53 (Unix) DAV/2 mod_jk/1.2.8
ETag: "a3f8c3fe31615c4383dc632ee618c033"
Last-Modified: Sat, 02 Sep 2006 05:44:44 GMT
Content-Type: text/html;charset=UTF-8

Notice the second response does not have a JSESSIONID? I
attribute  
this to the server recognizing that I have a cookie for the
domain,  
on the server root. Thus `curl' (through the necessary line
switches)  
is sending and saving cookies for requests. Also, we have to
remember  
that the "path=PATH" is optional.

Let look at what `libcurl' is putting in my cookie-jar (this
is a tab- 
delimited file):

tstonevenus [~] % less /tmp/cookies
# Netscape HTTP Cookie File
# h
ttp://wp.netscape.com/newsref/std/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

www.petmystone.com      FALSE   /       FALSE   0        
JSESSIONID      1E1dada34B155333D4B65322A54FC6BF
localhost       FALSE   /       FALSE   0       JSESSIONID  
    
566CAE7190A20C6E92C3C88C224DF845

The most recent reply on this list seems to validate that
this is a  
JSESSIONID/encodeURL problem and not precisely a
"cookie" problem.

Thoughts and corrections welcome.

Regards,
Tim

On Sep 26, 2006, at 5:36 AM, Cliffano Subagio wrote:

> Hi Marc,
>
> Is your cookie problem somehow similar to this http:// 
>
blog.hasno.info/blog/segfault/2006/03/26/scode-captcha-final
ly.html ?
>
> Mark G (the blog author) contacted me earlier this year
regarding  
> the issue. His fix was done on top of scode plugin, I
think it  
> would be handy if the solution can be a generic plugin
where users  
> can easily pass around the jsession id / cookie.
>
> The plugin you created might do that.
>
>
>
> Cheers,
> Cliff.
>
> On 9/24/06, Marc Liyanage <listsentropy.ch> wrote:
> I tried to activate the math comment moderation plugin
but every
> single comment was flagged as spam and killed.
>
> I spent some time analyzing this and in my particular
case the
> problem seems to be that the cookie path sent back in
the comment
> form's HTTP headers is wrong because I use mod_jk to
map the blog
> into my website.
>
> On Tomcat, the web app runs as /blojsom, but in my
website I map it
> to /blog. I can see that the comment form sent by
Tomcat through
> mod_jk has a Set-Cookie header for the cookie path
"/blojsom", and so
> when the browser sends back the comment form to the
server at the
> externally visible location "/blog", it does
not send along the  
> cookie.
>
> Since there's no cookie, Tomcat/blojsom cannot tie the
incoming
> request to an existing session and the math plugin is
unable to find
> the math question or expected answer (one of which I
guess is stored
> in the session) and discards the comment.
>
> Solutions would be to
>
> 1.) Use Apache 2.2/Tomcat 5 with the mod_proxy module
which has the
> ProxyPassReverseCookiePath option. That does exactly
what I need.
> 2.) Add a JSESSIONID suffix to the form's action URL
>
>
> I don't have time to do 1.) right now (I run OS X 10.3
with Apple-
> supplied Apache 1.3), and I did not find out how to do
2.) in the
> context of a velocity template.
>
> So my question is, what do others do about this cookie
path issue,
> and is there a way I can get at the current session id
so I could
> construct a form submission URL that includes the
;JSESSIONID=xxx  
> part?
>
>
>
> Cheers
>
> -Marc
>
>
>
>
>
>
____________________________________________________________
_____
> Marc Liyanage                               http://www.entropy.ch
>
>
>
>
------------------------------------------------------------
---------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the
chance to  
> share your
> opinions on IT & business topics through brief
surveys -- and earn  
> cash
> http://www.techsa
y.com/default.php? 
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Blojsom-users mailing list
> Blojsom-userslists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers
>
>
------------------------------------------------------------
---------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the
chance to  
> share your
> opinions on IT & business topics through brief
surveys -- and earn  
> cash
> http://www.techsa
y.com/default.php? 
>
page=join.php&p=sourceforge&CID=DEVDEV______________
__________________ 
> _______________
> Blojsom-users mailing list
> Blojsom-userslists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers

- --
Timothy Stone   |    www dot petmystone dot com
Rising Sun, MD  |  tstone at petmystone dot com

"This Satan's drink [coffee] is so delicious...
  we shall cheat Satan by baptizing it."
  Pope Clement VIII (1592-1605)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFGcQLNsfkZJstizoRAgjlAKC83XUjPo/PIkfaf+I8/CYQSf2X2QCg
hOol
ys+aH6xBVAJ1AK89422NUm0=
=JnxP
-----END PGP SIGNATURE-----

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Blojsom-users mailing list
Blojsom-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers

On 27.09.2006, at 02:21, Timothy Stone wrote:

> I'm slightly confused by the conversation because of
what I have  
> always understood about the cookie spec:
>
>  path=PATH
> "The path attribute [...]

That is exactly how I understood it.

> I read this to mean that a path of "/" is
fine

It would be fine, but the issue I and others have is that
"/" is not  
what the servlet container sends along in the Set-Cookie
header:


> primavera:~ liyanage$ curl -D - http://www.entrop
y.ch/blog/Website/
> HTTP/1.1 200 OK
> Date: Wed, 27 Sep 2006 09:15:15 GMT
> Server: Apache
> Cache-Control: max-age=60
> Expires: Wed, 27 Sep 2006 09:16:15 GMT
> Set-Cookie:
JSESSIONID=99E2B69BF4FF243F3463134D36703F81; Path=/blojsom

This snippet shows two things: The request goes to /blog,
but because  
of the internal redirection Tomcat sees it as /blojsom and
that's  
what it uses as cookie path in the response.

I don't know why your Tomcat doesn't do it the same way. Do
you have  
a newer version?

The only way I know of to get Tomcat 4.x to send the
Set-Cookie  
header with a cookie path of "/" is to deploy the
web application as  
the ROOT web app, but that is obviously not a solution if
you map  
several Java web apps into your Apache-based web site.

I believe this issue is why there an explicit  
ProxyPassReverseCookiePath directive was added to newer
(>= 2.2)  
mod_proxy implementations:

     h
ttp://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Another way to get Tomcat versions *newer than 4.x* to send
the  
header with the "/" path is to set the
"emptySessionPath" attribute  
of the "Connector" XML config element to
"true":

     http://tomcat.apache.org/tomcat-5.5-doc/config/http.html



Does any of that apply to your setup?










____________________________________________________________
_____
Marc Liyanage                               http://www.entropy.ch



------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Blojsom-users mailing list
Blojsom-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/blojsom-u
sers