tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: multiple Set-Cookie headers in initial http response
Date Wed, 12 Nov 2008 12:05:01 GMT
André Warnier wrote:
> Markus Reis wrote:
>>>> Our Tomcat 5.5 sends 30 cookie
>>>> (cookie=JSESSIONID=2D79FB71207A83A09B32677B9640693E.jbprod;
>>>> domain=null; path=/)
>>> Are they all identical?
>> No. They are ALL different (and they also differ from response to
>> response)
>>>> and 900 Set-Cookie
>>>> (header=Set-Cookie=JSESSIONID=2D79FB71207A83A09B32677B9640693E.jbprod;
>>>> Path=/; Secure) headers in the http response header back to the
>>>> external clients (during the initial http request/response).
>>> Same here: identical?
>> No. Each of the 30 DIFFERENT session id's from above are repeated
>> thirty times.
>>>> The 900 Set-Cookie headers contain each "cookie" JSESSIONID thirty
>>>> times.
>>> That is crazy! How are you observing this behavior? LiveHTTPHeaders/http
>>> protocol sniffer? Wireshark/packet sniffer?
>> Yes it is crazy - I observed this using
>> org.apache.catalina.valves.RequestDumperValve in my server.xml
>>>> If I submit the same request from my machine I get a only/as expected
>>>> one cookie and one Set-Cookie header back in the initial response.
>>> Er... what do you mean "from my machine"? What are you using when you
>>> get 900 Set-Cookie headers?
>> "My machine" is my PC at work. The requests where a repsonse with 900
>> SetCookie headers is returned, are sent from PC's of our partners,
>> which operate in one single network (and thus all have the same IP,
>> which is the IP of the partner network's proxy server). If I use some
>> other PC connected to the internet I have the same expected behaviour
>> as from my PC at work. So those responses are only/exclusively
>> produced for requests coming from PC's of our partners.
>> markus
> Old African proverb : he who wants to eat an elephant, should do it a
> little bit at a time.
> I am not basing the following on any deep knowledge of Tomcat, just
> trying to use the logical cues from what you said so far and the way
> HTTP servers and browsers normally react.
> 1) How do you *precisely* know that Tomcat is actually sending 900
> Set-Cookie Headers ? does the RequestDumperValve also dump the response
> ? or is that what you see in the client browser ?
> In other words, are you really sure that it is Tomcat who is sending all
> these Set-Cookie headers, or could it be the customer's proxy
> adding/multiplying them ? (Not that I would know how it could do that,
> but that's another matter)
> 2) The client browser gets 900 Set-Cookie headers, of which the basic
> set of different ones is 30, each multiplied 30 times.
> So the client browser ends up with 30 cookies set ?
> Or just one, in the end ?
> 3) Does this number 30 relate in some way to how many separate stations
> at your customer access your Tomcat server ?
> For example, assuming that there would be a way to "reset everything",
> and then turn on a single customer station, and access your Tomcat
> server once, how many Set-cookies would that one browser get in return ?
> And then, what if a second station now sends a request ?

As a test, why don't you set a cookie on each client PC, (containing a
unique identifier, perhaps a username or something else that will
identify individual PCs or users), to see if that gets multiplied back
to you too.  If it does, you may discern more about the pattern of failure.


> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message