tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat creates a cookie with a new jsessionid when timeout occurs
Date Tue, 01 Aug 2006 14:19:05 GMT
Luis,

> I am using the url rewriting method for session maintenance, but when a
> timeout occurs in my web application, tomcat sets a cookie named
> jsessionid (used for session tracking purposes) with a new session id
> value before redirecting the user to the login page. This jsessionid
> cookie value does not match the previous session id, it is a new one,
> and is also different from the new one created in the (re)login
> process.

This is expected behavior.

> Why does this happen? Does tomcat always create a jsessionid cookie
> when a timeout occurs? And if this is a tomcat issue, how do I disallow
> this (if it is possible, anyway)?

Tomcat is creating a new session in this case because it is redirecting
the user to the login page, and wants to make sure that the original
request (the one that was intercepted in order to take the user to the
login page) is fulfilled. It does this by storing that information in
the session (or, if not actually /in/ the session, it is at least
/related/ to the session).

So, Tomcat is preparing for a login, and creates a session to handle
everything. If you want to disable session creation, I think you are
going to have to turn off container-managed authentication (and then
you'll have to implement your own).

-chris



Mime
View raw message