geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Smith (JIRA)" <>
Subject [jira] [Created] (GEODE-3812) Stop using JSESSIONID cookie in session module
Date Wed, 11 Oct 2017 17:46:00 GMT
Dan Smith created GEODE-3812:

             Summary: Stop using JSESSIONID cookie in session module
                 Key: GEODE-3812
             Project: Geode
          Issue Type: Bug
          Components: http session
            Reporter: Dan Smith

The session module for generic Application servers sets the JSESSIONID cookie in SessionCachingFilter.addSessionCookie.

The application server also sets the JSESSIONID cookie, as specified by the java servlet spec.

It's somewhat undefined what the container will do in this case. It looks like depending on
the version of Jetty, it will either keep geode's JSESSIONID or it will put both cookies in
the response, with the geode one coming last. Technically that is against  RFC 6265, which
says "Servers SHOULD NOT include more than one Set-Cookie header field in the same response
with the same cookie-name." However it looks like browsers will tend to keep the last session
cookie so things aren't failing at the moment.

We should stop using the same cookie name as the container to avoid this conflict.

This message was sent by Atlassian JIRA

View raw message