Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-4785

Enable Cross (Sub)Domain Tracking is not working - tomcat



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • Trunk, Upcoming Branch
    • None
    • Bug Crush Event - 21/2/2015


      While we were upgrading ofbiz for our applications, i have noticed the usage of enabling cross domain tracking and was planning to use. We had custom solution previously for tomcat, as it was not supporting session cookie domain to be configurable (vesion ).

      Here is the description of the issue,

      In ofbiz cross domain session cookies was allowed using configuration in ofbiz-container.xml, by setting value for cookie.domain in url.properties. enad enabling the property "enable-cross-subdomain-sessions" to true in ofbiz-containers.xml. This is not working.

      When debugged i have noticed the cause in CrossSubdomainSessionValue.java were cookie domain is supposed to be replaced/overriden in response mime headers, but it was trying to replace in request mime headers. Here is the line of code in CrossSubdomainSessionValve
      MimeHeaders mimeHeaders = request.getCoyoteRequest().getMimeHeaders();
      following this is the line
      if (mimeHeaders.getName.equals("Set-Cookie")) { // in request the header is "Cookie" and in response the header is "Set-Cookie".
      When checked with svn history - i noticed it was replacing the response headers till version r938061 which is expected behaviour, after a migration to tomcat 7 revision r938061 i noticed the above described change.
      I assume this was done due to deprecation of method "getCoyoteResponse()" in Request i.e request.getCoyoteResponse().getMimeHeaders();

      However i have following observations which can be considered in fixing, i would attach the patches after we validate them
      I do not see the need of CrossSubdomainSessionValve any more now, as tomcat since version 6.0.27 supports configuring domain for session cookies in "Context".
      We can use the StandardContext to set the sessionCookieDomain.
      With that said, there were two approaches two acheive this
      1. Use the standard cookie.domain in url.properties to set to sessionCookieDomain when enable-cross-subdomain-sessions is set to true. which i think is self explanatory
      2. Allow the configuration of cookie domain via webapp info defined in ofbiz-component.xml(which is actually the Context used by tomcat). However i am not able to find a relevant context to support this, but seems a possibility

      Please let me know your thoughts




            Unassigned Unassigned
            sharadbhushank K Sharad Bhushan
            0 Vote for this issue
            1 Start watching this issue