Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 49677 invoked from network); 1 Sep 2006 21:25:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Sep 2006 21:25:20 -0000 Received: (qmail 67687 invoked by uid 500); 1 Sep 2006 21:25:07 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 67665 invoked by uid 500); 1 Sep 2006 21:25:07 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 67649 invoked by uid 99); 1 Sep 2006 21:25:07 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Sep 2006 14:25:07 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of darryl-mailinglists@netbauds.net designates 62.232.161.102 as permitted sender) Received: from [62.232.161.102] (HELO mail-1.netbauds.net) (62.232.161.102) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Sep 2006 14:25:06 -0700 Received: from host86-128-149-32.range86-128.btcentralplus.com ([86.128.149.32]:13259 "EHLO [172.16.32.4]" smtp-auth: "darryl" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail-1.netbauds.net with ESMTPSA id S340433AbWIAVYk (ORCPT ); Fri, 1 Sep 2006 22:24:40 +0100 Message-ID: <44F8A515.6010400@netbauds.net> Date: Fri, 01 Sep 2006 22:24:37 +0100 From: Darryl Miles User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.0.6) Gecko/20060806 SeaMonkey/1.0.4 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Tomcat 5.5 setting two JSESSIONID cookies in same response References: <4c5a5abe0609010856o780785b8of50331fed32cb5cb@mail.gmail.com> <4c5a5abe0609010948w3e3ad5f7o3f45d808f965e192@mail.gmail.com> In-Reply-To: <4c5a5abe0609010948w3e3ad5f7o3f45d808f965e192@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N David Cotter wrote: > This turns out to be because I call session.invalidate() and then > request.getSession(true). I don't have to do this so it's fine. Don't know > if two JSESSIONIDs is valid behaviour. In the case of the sample quoted the new one will just overwrite it. There are a few minor problems with cookie handling in TC, seeing two cookies for the same value is one I've seen before (and there is no API call to ask for a list of currently set cookies in the response, I can only ask what I was given in the request, Duh!). Invalidating the session should setup the cookie to expire/delete the current value, the session object maybe live during the request but after the request has been processed its destroys. It should be valid to call getSession(true) afterwards (within the same request) and you should be guaranteed a brand new JSESSIONID. This would be a very common way of writing a web-app and conceptually there isn't any technical reason why you can't allocate and invalidate multiple times within the same request. But maybe the specs have something to say about the matter as I've seen the issue raised as an unexpected thorn before. >> Set-Cookie: JSESSIONID=C90DF7930FFFFE158150140E41FB2FAC; >> Path=/globalen >> Set-Cookie: tbs_identity=88881043786:3032; Expires=Sun, >> 01-Oct-2006 15:51:23 GMT; Path=/globalen >> Set-Cookie: JSESSIONID=F974FDF3E26ACF12203F9F2C190735DA; >> Path=/globalen Darryl --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org