tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: different jsessionid for different webapps
Date Wed, 28 Jan 2009 02:08:52 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

Pid wrote:
> Christopher Schultz wrote:
>> Bottom line: beware deploying applications inside one another's URI spaces.
> 
> Do you mean 'inside' as in the (expected) outcome of
> 
>  app1.war
>  app1#part2.war

It's worse than that, because Apache httpd was fronting the whole thing,
and each application was in a separate Tomcat instance. Hence, no
ability for Tomcat to differentiate between /legit/request/to/app1 and
/nonlegit/request/to/app1/app2/whatever.

Basically, I completely shot myself in the foot. ;)

> ... and if not, I wonder what the implications for cookie handling
> therein are.

Since I was forwarding a cookie from one app to another, and the app
first handling the request didn't use sessions at all, so a doubled-up
JSESSIONID cookie make it impossible to figure out which one was the
"right" one. Sure, we could have issued a second backend request to the
other app, but why bother when your deployment is fubar'd.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkl/vjQACgkQ9CaO5/Lv0PBcogCfQzeA8ql4M5rjhtQXVpRUWgEZ
0bUAoLOziTZwDSa6ExGzRgo62OGDBBy4
=8quS
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message