tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Choosing the "right" session id
Date Tue, 29 Apr 2008 13:24:39 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rainer,

Rainer Jung wrote:
| This is not a real answer to your question, but if you look at the code,
| the behaviour w.r.t. multiple JSESSIONID cookies has been changed
| between 5.5.25 and 5.5.26. There is an issue BZ 43839, and the patch has
| been applied to TC 5.5 in r609463
|
| http://svn.apache.org/viewvc?view=rev&revision=609463

Hmm... I took a look at the new code and it appears to be the same as
the old code for cookies (except that now JSESSIONID cookies are
completely ignored when cookies have been disabled application-wide).

I checked on the cookie specification (best resource I could find was
http://wp.netscape.com/newsref/std/cookie_spec.html) and under the
"Syntax of Cookie HTTP Request Headers" section it states:

"When sending cookies to a server, all cookies with a more specific path
mapping should be sent before cookies with less specific path mappings.
For example, a cookie "name1=foo" with a path mapping of "/" should be
sent after a cookie "name1=foo2" with a path mapping of "/bar" if they
are both to be sent."

That seems to be in line with what Tomcat's code expects: it tries all
cookies from most-specific path to least-specific path (because it
processes them from left to right). Unfortunately for me, the
most-specific path (first sent) is the one that I want, while the
least-specific path is the one used, even when it is not valid.

I think I have to move my application. :(

The good news is that most people who use the "real" /foo application
are never going to be using the ROOT context application just because of
the types of users served. So, while I wait for a convenient time to
move that application, not too many people will be affected. I also have
the option of having the /foo application kill the cookie from the ROOT
application if necessary.

Thanks for the info!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgXIZcACgkQ9CaO5/Lv0PD88wCfdflf5eExQGeEaeqdBhOBB+EZ
9QMAn3PdalKv8P7MqeT4jWZ1FPGoowIU
=8HXI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message