My application is running struts 1.1 on tomcat 7.0.47. Whenever I request a jsp like this :
http://localhost:8080/myTestPage.jsp?lang=fr
The value lang=fr is automatically stored in cookies . Even if the jsp is not related to an action in the config, and contains only "eclipse jsp's template code".
This is a security issue as there is no controle over this parameter ( you can inject JS ).
How or why this parameter is stored ? This behavior applies only for the lang parameter .
Finally I found the class causing the problem using the profiler (jvisualvm.exe) that comes with the JVM :
It has nothing to do with struts. It was a custom Tomcat Valve configured on the server.xml file ( server level ). That valve was in in a jar in /lib folder.
# server.xml
<Valve className="com.example.ValveExample" >
That explains why I couldnt find the class, it was not visible from the project classpath .
So what I did is just modify the valve source code to match the behavior I want, package the Jar and put it again in /lib .