I’ve come across the following problem in IE7 in several products which I initially commented on at the MVN Forum forum (incidentally MVN Forum is a great open source Java Web Forum). Here is a copy:
First, thanks for MVNForum – I’ve used it before, and I have now come back 4 years later to use it again. Its perfect for an all Java platform!
But I have a strange bug, which I have figured out. For some reason, with IE7, Tomcat 5.5.9 (and later), MySQL 4.1.x, I find that with IE7 only (not Firefox), it is putting the jsessionid into the URL instead of using a cookie. I have tried changing all the settings in MVN as well as in IE, but it still uses URL rewriting when using my site, even though the cookies work perfect on this forum… I can’t figure that bit out…
Anyway, I debugged into MVNForum to see what was going on, and I noticed that after one enters their login details, it sends a redirect. In this redirect, the "redirect-to URL", does not contain the jsessionid, and so a new session is started. That means users cannot then do admin, or whatever, depending on user permissions, because the server thinks its a new session and wants them to authenticate again.
I used the debugger and on line 426 of com.mvnforum.user.UserModuleProcessor (right at the bottom of the process(HttpServletRequest, HttpServletResponse) method), I modified the value of the responseURI in the JVM, to include ";jsessionid=XXX" where XXX was the value of my session ID. It worked perfectly.
I would suggest that in this processor, and the corresponding admin processor (if there is one), that it check if the original request URI contained the jsessionid. If yes, then it should add it to the response URI.
I would look into changing settings in the browser in more detail, but to support any user on any browser, I would rather fix a bug serverside.
Please let me know if/when this bug will be fixed in release, so I can download the latest patched version.
To test it, disable cookies in the browser.