tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Keyes" <>
Subject RE: Cookie handling in IE6 and session handling of tomcat 4.1.24
Date Thu, 26 Jun 2003 12:59:46 GMT
For any two domains, A and  B, if B is a subdomain of A (e.g., B.A), and if two different
J2EE app servers are hosting those domains, the following will be true, assuming that the
two appservers create session cookies that are identical except for the domain (note that
a cookie consists of: name, domain, path, expiration):

* If a user, running Internet Explorer, uses J2EE apps running on both domains, causing a
session to be established on both domains simultaneously, the client accessing the application
running in domain B will not be able to access a session established in domain B.

This is due to the fact that IE orders cookies from least-specific to most-specific WITH RESPECT
TO DOMAIN in an HTTP request.  ANY app server that looks for the FIRST cookie named JSESSIONID
will be susceptible to this problem.

In our case, tomcat was serving up JSPs on "", causing a J2EE servlet session to be created
when that page was loaded.  Immediately after hitting, "" was being loaded, which
also caused a session to be created.  Both sessions were being identified by cookies set in
the client browser.  The cookies both had an ID of JSESSIONID, with an identical path.  The
only difference between the cookies was the domain (one was "", and the other was "").
 When interacting with the app on, each request included an HTTP header  specifying
client-side cookies.  In that header, the JSESSIONID created by was ordered BEFORE the
JSESSIONID created by  The appserver on domain was consequently attempting
to find the session that had been created on, and since it could not, was creating a
new session with each request.

Dave Keyes

-----Original Message-----
From: Suraj Berwal []
Sent: Wednesday, June 25, 2003 11:00 AM
To: Tomcat Users List"
Subject: Cookie handling in IE6 and session handling of tomcat 4.1.24

dear tim,
   i am facing a similar problem with my clients on IE6.0 regarding the session handling using
tomcat 4.1.24. Actually the data is getting swapped for users there. can you please elaborate
on the info you have posted about cookie problem in IE and how it can affect the session handling
in tomcat. i have a singlw webapp and the tomcat is running on Standalone mode.

suraj berwal
>Do you have other webapps? I thought I recall at one time, some version of IE 
>did send cookies in the correct order. This can hurt session handling in tomcat.


>Billy Ng wrote:
>> Hi folks;
>> I have a customer complains the IE 6 sp1 times out the tomcat session way before
the tomcat default session time out >>settings.  I tried to reproduce it but I can't.
 Have anybody experienced this?
>> Billy Ng

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message