My application is running struts 1.1 on tomcat 7.0.47. Whenever I request a jsp like this :
http://localhost:8080/myTestPage.jsp?lang=fr
The value lang=fr is automatically stored in cookies . Even if the jsp is not related to an action in the config, and contains only "eclipse jsp's template code".
This is a security issue as there is no controle over this parameter ( you can inject JS ).
How or why this parameter is stored ? This behavior applies only for the lang parameter .
On
Sounds to me like your cookie interceptor is active in (your / one of your) config file, something like this:
<action ... >
<interceptor-ref name="cookie">
<param name="cookiesName">cookie1</param>
<param name="cookiesValue">cookie1value</param>
</interceptor-ref>
<interceptor-ref name="cookie">
<param name="cookiesName"<cookie2</param>
<param name="cookiesValue">cookie2value</param>
</interceptor-ref>
....
</action>
Taken from this link: https://struts.apache.org/core-developers/cookie-interceptor.html
Finally I found the class causing the problem using the profiler (jvisualvm.exe) that comes with the JVM :
It has nothing to do with struts. It was a custom Tomcat Valve configured on the server.xml file ( server level ). That valve was in in a jar in /lib folder.
That explains why I couldnt find the class, it was not visible from the project classpath .
So what I did is just modify the valve source code to match the behavior I want, package the Jar and put it again in /lib .