Issue Details (XML | Word | Printable)

Key: JRA-10105
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Dushan Hanuska [Atlassian]
Reporter: Sulka Haro
Votes: 4
Watchers: 4
Operations

If you were logged in you would be able to see more operations.
JIRA

jsessionid twice in URL causes Fix and Affects version links to break in issue view screen during session's first page view

Created: 08/May/06 02:56 AM   Updated: 30/Jul/06 07:37 PM
Component/s: Web interface
Affects Version/s: 3.6.1
Fix Version/s: 3.6.3

Time Tracking:
Original Estimate: Not Specified
Remaining Estimate: 0 minutes
Time Spent - 6 hours
Time Spent: 6 hours
Time Spent - 6 hours

Issue Links:
Duplicate
 
Reference

Participants: Andreas Deimer, Dushan Hanuska [Atlassian], Jeff Turner [Atlassian], Keith Brophy, Scott Farquhar [Atlassian] and Sulka Haro
Since last comment: 2 years, 15 weeks, 3 days ago
Resolution Date: 29/Jun/06 06:29 PM
Labels:


 Description  « Hide
Steps to reproduce:

1) Authenticate into Jira and use the Remember Me feature so your authentication is remembered.
2) Go to an issue screen which shows Fix For and Affects Version links.
3) Copy the link to clipboard.
4) Restart your browser so your session is reinitialized.
5) Paste the URL to your browser's address bar.
6) Try to click on either Fix Version or Affects Version links - Jira throws a NumberFormatException.

For example, here's the Fix For Version URL I get here on jira.atlassian.com when viewing issue CONF-6023 screen.

http://jira.atlassian.com/secure/IssueNavigator.jspa?reset=true&mode=hide&sorter/order=ASC&sorter/field=priority&pid=10470;jsessionid=123&fixfor=11890;jsessionid=123

AFAIK this has been fixed a number of times so I guess it's a regression? Also note the jsessionid is included twice in this URL while most URLs on the screen don't include the GET parameter at all.

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Jeff Turner [Atlassian] added a comment - 10/May/06 03:42 AM
Sulka,

Which browser are you using?

I can't replicate this with Firefox. I have:

It loads fine, without any ;jsessionids.

However, other people are reporting this problem too (eg. a report logged in JRA-9641) so something must be going on.

Perhaps there is a company proxy that could be interfering with cookie scopes?


[ Permlink | « Hide ]
Sulka Haro added a comment - 10/May/06 03:59 AM
Sorry, should have included the URL in the description. The problem is in the issue viewing screen - you were supposed to copy the url to the issue screen, not the version screen. For example, I just used "http://jira.atlassian.com/browse/JRA-10105" to replicate this by clicking the URL in the email I got when you commented on this issue.

So, if you're using the Remember Me and get this email, first go and quit your browser, then click on the link in the email. The Affects Version links should be broken in the issue screen.

Also note the problem goes away after you've click on anything on the page so I think the problem is related to the page being rendered within the request that creates a new session within the servlet container. The container seems to think it has to append the jsessionid ID's into the URLs because the request didn't send the jsessionID cookie and hence the container doesn't yet know if the user accepts cookies or not. To make sure the session works, it puts the ID's into URLS as GET parameters so the next request will work correctly even if I didn't get accept the cookie.

I can replicate this using both Safari (2.0.3) and Firefox (1.5.0.3). There is no company proxy.


[ Permlink | « Hide ]
Jeff Turner [Atlassian] added a comment - 12/May/06 12:48 AM
Thanks, I see what you mean. I can replicate this with JIRA Standalone too.

[ Permlink | « Hide ]
Jeff Turner [Atlassian] added a comment - 22/May/06 07:12 PM
This bug also results in a stacktrace in the logs, eg: 
java.lang.NumberFormatException: For input string: "10000;jsessionid=C3FEE0267EC623A98DFE08D8944F8FCA"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
	at java.lang.Long.parseLong(Long.java:412)
	at java.lang.Long.(Long.java:671)
	at com.atlassian.jira.util.ParameterUtils.getLongListFromStringArray(ParameterUtils.java:394)
	at com.atlassian.jira.issue.transport.impl.IssueNavigatorActionParams.getSearchContext(IssueNavigatorActionParams.java:52)
	at com.atlassian.jira.web.action.issue.SearchDescriptionEnabledAction.getSearchContext(SearchDescriptionEnabledAction.java:107)
	at com.atlassian.jira.web.action.issue.IssueNavigator.populateAndValidate(IssueNavigator.java:237)
	at com.atlassian.jira.web.action.issue.IssueNavigator.doExecute(IssueNavigator.java:120)
	at webwork.action.ActionSupport.execute(ActionSupport.java:153)
	at com.atlassian.jira.action.JiraActionSupport.execute(JiraActionSupport.java:58)
	at webwork.dispatcher.GenericDispatcher.executeAction(GenericDispatcher.java:132)
	at com.atlassian.jira.web.dispatcher.JiraServletDispatcher.service(JiraServletDispatcher.java:178)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.jira.web.filters.AccessLogFilter.doFilter(AccessLogFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119)
	at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55)
	at com.atlassian.jira.web.filters.SitemeshExcludePathFilter.doFilter(SitemeshExcludePathFilter.java:38)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:182)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.seraph.filter.LoginFilter.doFilter(LoginFilter.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132)
	at com.atlassian.jira.web.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:25)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:37)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:91)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.jira.web.filters.gzip.GzipFilter.doFilter(GzipFilter.java:64)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:298)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:204)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)

[ Permlink | « Hide ]
Andreas Deimer added a comment - 01/Jun/06 02:29 AM
Jeff,

a lot of our users are reporting now the same problem. It seems to start happening when we switched to Jira 3.6.1.
Could you please provide us with a quick fix/hack/whatever soon?

Thank you very much!

Best regards
Andreas


[ Permlink | « Hide ]
Jeff Turner [Atlassian] added a comment - 01/Jun/06 08:35 PM
There is no workaround unfortunately. Either don't go directly to the issue page or click Back and click the link again if this happens.

[ Permlink | « Hide ]
Scott Farquhar [Atlassian] added a comment - 05/Jun/06 09:52 PM
Basically, ActionContext seems to be getting the jsessionid. The code that does this is: 
Enumeration e = request.getParameterNames();
         while (e.hasMoreElements())
         {
            final String key = e.nextElement().toString();
            final String[] value = request.getParameterValues(key);

            entries.add(new Map.Entry()
            {
               public boolean equals(Object obj)
               {
                  Map.Entry entry = (Map.Entry)obj;
                  return (key==null ?
                     entry.getKey()==null : key.equals(entry.getKey()))  &&
                     (value==null ?
                        entry.getValue()==null : value.equals(entry.getValue()));
               }

               public int hashCode()
               {
                  return (key==null   ? 0 : key.hashCode()) ^
                          (value==null ? 0 : value.hashCode());
               }

               public Object getKey()
               {
                  return key;
               }

               public Object getValue()
               {
                  return value;
               }

               public Object setValue(Object obj)
               {
                  // Not allowed
                  throw new UnsupportedOperationException("Can't set parameter");
               }
            });
         }

Somehow request.getParameterValues() is including the jsessionid. To me this seems to be an application server problem?


[ Permlink | « Hide ]
Keith Brophy added a comment - 27/Jun/06 11:37 PM
This issue arises due to incorrect usage of the <webwork:url> tag whereby it is included in a url as follows: 
<a title="Stuff" href="/secure/IssueNavigator.jspa?reset=true&mode=hide&sorter/order=ASC&sorter/field=priority&pid=<webwork:url value="/selectedProject/long('id')" />"> Stuff </a>

Each time the <webwork:url> tag is processed, the HttpServletResponse.encodeURL() method is called which results in the jessionid being appended to the end of the returned section of the URI.

In order to avoid this, the use of the <webwork:url> tag should be used correctly and the URL should be constructed as follows:

<webwork:url page="/secure/IssueNavigator.jspa">
            <webwork:param name="'pid'" value="/selectedProject/long('id')"/>
            <webwork:param name="'reset'" value="'true'"/>
            <webwork:param name="'mode'" value="'hide'"/>
</webwork:url>

If the <webwork:url> is used multiple times in one link - as is done in the file listbynamewithnavlink.jsp, the resulting URL has multiple references to the jsessionid.


[ Permlink | « Hide ]
Jeff Turner [Atlassian] added a comment - 28/Jun/06 01:24 AM
The same sort of problem is happening on the dashboard bar graph links. See JRA-10499


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13-#330) - Bug/feature request - Atlassian news - Contact Administrators