tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darryl Miles <>
Subject Re: Tomcat 5.5 setting two JSESSIONID cookies in same response
Date Fri, 01 Sep 2006 21:24:37 GMT
David Cotter wrote:
> This turns out to be because I call session.invalidate() and then
> request.getSession(true). I don't have to do this so it's fine. Don't know
> if two JSESSIONIDs is valid behaviour.

In the case of the sample quoted the new one will just overwrite it. 
There are a few minor problems with cookie handling in TC, seeing two 
cookies for the same value is one I've seen before (and there is no API 
call to ask for a list of currently set cookies in the response, I can 
only ask what I was given in the request, Duh!).

Invalidating the session should setup the cookie to expire/delete the 
current value, the session object maybe live during the request but 
after the request has been processed its destroys.

It should be valid to call getSession(true) afterwards (within the same 
request) and you should be guaranteed a brand new JSESSIONID.  This 
would be a very common way of writing a web-app and conceptually there 
isn't any technical reason why you can't allocate and invalidate 
multiple times within the same request.   But maybe the specs have 
something to say about the matter as I've seen the issue raised as an 
unexpected thorn before.

>> <HTTP-raw> Set-Cookie: JSESSIONID=C90DF7930FFFFE158150140E41FB2FAC;
>> Path=/globalen
>> <HTTP-raw> Set-Cookie: tbs_identity=88881043786:3032; Expires=Sun,
>> 01-Oct-2006 15:51:23 GMT; Path=/globalen
>> <HTTP-raw> Set-Cookie: JSESSIONID=F974FDF3E26ACF12203F9F2C190735DA;
>> Path=/globalen


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message