|
If you were logged in you would be able to see more operations.
|
|
|
OSCache
Created: 21/Nov/03 10:55 AM
Updated: 21/Jan/07 01:53 PM
|
|
| Component/s: |
None
|
| Affects Version/s: |
None
|
| Fix Version/s: |
3.0
|
|
|
I'd like to collect thoughts on caching session IDs in URLs (jsessionid).
As far as I can tell, OSCache does not support this, and the current non-support could lead to some security problems on poorly configured systems (i.e. caching a page with a session id and later redisplaying it).
An idea on how to support this are as follows:
1. use some combination of request.isRequestSessionIdFromCookie and request.getSession to tell if this page could have session encoded URLs
2. if thats the case, scan through the content replacing the session ID with a special token
3. cache the page
4. when retrieving from the cache, replace the token with the current session id.
all very straight forward, but an important issue pops up.
what if the cached page doesn't have encoded URLs (i.e. the first user to view had cookies on), then there's no easy way to know which URLs to re-encode for the next non-cookie user.
the two solutions i see are:
1. prepopulate the cache with encoded URLs, then for cookie users, just strip the whole thing off.
2. keep 2 versions in the cache, 1 with the session token and 1 without.
i'm not sure how to do the first one, and the second one is a bit wasteful...
does anyone else have ideas? or other issues?
i think i'll try to tackle this once i get a clearer picture of what the best solution is.
|
|
Description
|
I'd like to collect thoughts on caching session IDs in URLs (jsessionid).
As far as I can tell, OSCache does not support this, and the current non-support could lead to some security problems on poorly configured systems (i.e. caching a page with a session id and later redisplaying it).
An idea on how to support this are as follows:
1. use some combination of request.isRequestSessionIdFromCookie and request.getSession to tell if this page could have session encoded URLs
2. if thats the case, scan through the content replacing the session ID with a special token
3. cache the page
4. when retrieving from the cache, replace the token with the current session id.
all very straight forward, but an important issue pops up.
what if the cached page doesn't have encoded URLs (i.e. the first user to view had cookies on), then there's no easy way to know which URLs to re-encode for the next non-cookie user.
the two solutions i see are:
1. prepopulate the cache with encoded URLs, then for cookie users, just strip the whole thing off.
2. keep 2 versions in the cache, 1 with the session token and 1 without.
i'm not sure how to do the first one, and the second one is a bit wasteful...
does anyone else have ideas? or other issues?
i think i'll try to tackle this once i get a clearer picture of what the best solution is. |
Show » |
|
Improvement
Reopened
Minor
On caching pages with session IDs in URLs
its a first attempt, so its not well tested. it only fixes the behavior of the taglibs, not the cache filter.