tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49641] New: new session after invalidation during request does not set JSESSIONID cookie anymore
Date Fri, 23 Jul 2010 11:14:33 GMT

           Summary: new session after invalidation during request does not
                    set JSESSIONID cookie anymore
           Product: Tomcat 6
           Version: 6.0.28
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Catalina


We encountered some problems after migrating our servers from 6.0.20 to 6.0.28
. When the session on the request is invalidated and a new session is created
afterwards, the JSESSIONID cookie is no longer overriden. In 6.0.20 and before,
this used to be the case. Since the cookie is no longer set, the session can
not be recovered by the next request which in our case, resulted in users being
logged out.

Example program to illustrate:
protected void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        for (Cookie cookie : request.getCookies()) {
            if (cookie.getName().equals("JSESSIONID")) {
                System.out.println("value in cookie: " + cookie.getValue());
    HttpSession session = request.getSession(true);
    System.out.println("old sessionid = " + session.getId());
    session = request.getSession(true);
    System.out.println("new sessionid = " + session.getId());

When calling this servlet twice in succession, in tomcat 6.0.20, something
similar to this will be written to the console.

old sessionid = 62AD53E16A9569D5AC4FBF19858C5891
new sessionid = 803B5B8E3E02E3AC22C05AD358F223AB

value in cookie: 803B5B8E3E02E3AC22C05AD358F223AB
old sessionid = 803B5B8E3E02E3AC22C05AD358F223AB
new sessionid = E05A9C20C24B674B3248D9CC90D1977E

However, when calling the same servlet in tomcat 6.0.28, the following is
written to the console.

old sessionid = 33DEDE7EF2FC2DC6402F762B990D4181
new sessionid = B3B59185E8A4DC77090EFDE0F726936F

value in cookie: 33DEDE7EF2FC2DC6402F762B990D4181
old sessionid = 37844A45333F3F72B08EE35067A03C5A
new sessionid = 73C1B799ABF7C24CBCC71F0BA177E24D

As you can see, upon handling the second request, the cookie still retains the
sessionid of the previous session and not that of the newly created session.

We hope this problem shall be addressed in a future release. We have hacked
around this problem by explicitly setting the cookie after the session has been
changed, but this should not be a permanent solution as far as we are

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message