tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: multiple Set-Cookie headers in initial http response
Date Wed, 12 Nov 2008 11:29:36 GMT
Markus Reis wrote:
>>> Our Tomcat 5.5 sends 30 cookie
>>> (cookie=JSESSIONID=2D79FB71207A83A09B32677B9640693E.jbprod;
>>> domain=null; path=/)
>> Are they all identical?
> No. They are ALL different (and they also differ from response to response)
>>> and 900 Set-Cookie
>>> (header=Set-Cookie=JSESSIONID=2D79FB71207A83A09B32677B9640693E.jbprod;
>>> Path=/; Secure) headers in the http response header back to the
>>> external clients (during the initial http request/response).
>> Same here: identical?
> No. Each of the 30 DIFFERENT session id's from above are repeated thirty times.
>>> The 900 Set-Cookie headers contain each "cookie" JSESSIONID thirty
>>> times.
>> That is crazy! How are you observing this behavior? LiveHTTPHeaders/http
>> protocol sniffer? Wireshark/packet sniffer?
> Yes it is crazy - I observed this using org.apache.catalina.valves.RequestDumperValve
in my server.xml
>>> If I submit the same request from my machine I get a only/as expected
>>> one cookie and one Set-Cookie header back in the initial response.
>> Er... what do you mean "from my machine"? What are you using when you
>> get 900 Set-Cookie headers?
> "My machine" is my PC at work. The requests where a repsonse with 900 SetCookie headers
is returned, are sent from PC's of our partners, which operate in one single network (and
thus all have the same IP, which is the IP of the partner network's proxy server). If I use
some other PC connected to the internet I have the same expected behaviour as from my PC at
work. So those responses are only/exclusively produced for requests coming from PC's of our
> markus
Old African proverb : he who wants to eat an elephant, should do it a 
little bit at a time.

I am not basing the following on any deep knowledge of Tomcat, just 
trying to use the logical cues from what you said so far and the way 
HTTP servers and browsers normally react.

1) How do you *precisely* know that Tomcat is actually sending 900 
Set-Cookie Headers ? does the RequestDumperValve also dump the response 
? or is that what you see in the client browser ?
In other words, are you really sure that it is Tomcat who is sending all 
these Set-Cookie headers, or could it be the customer's proxy 
adding/multiplying them ? (Not that I would know how it could do that, 
but that's another matter)

2) The client browser gets 900 Set-Cookie headers, of which the basic 
set of different ones is 30, each multiplied 30 times.
So the client browser ends up with 30 cookies set ?
Or just one, in the end ?

3) Does this number 30 relate in some way to how many separate stations 
at your customer access your Tomcat server ?
For example, assuming that there would be a way to "reset everything", 
and then turn on a single customer station, and access your Tomcat 
server once, how many Set-cookies would that one browser get in return ?
And then, what if a second station now sends a request ?

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message