tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Date Thu, 01 Jul 2010 01:26:00 GMT
Hash: SHA1


On 6/30/2010 6:20 PM, Nikita Tovstoles wrote:
> I'd like to make session cookie domain-wide, and ignore subdomains - in
> Tomcat 6.

You could use the emptySessionPath="true" setting in your <Connector>.

> So for app reachable via and, I'd like to
> have session cookie's domain be "". I thought of doing so using a
> ServletResponseWrapper and a servlet Filter:

A filter won't work, as the cookie is (typically) created at the Valve
level, before your filter has a chance to run.

> However, JSESSIONID continues to be set to FQ host name ("").

If you use a properly-configured Valve that does roughly the same thing,
I think it'll work.

> Is it because Tomcat internals do not use HttpServletResponse.addCookie() to
> set JSESSIONID or is that cookie set before filter chain gets executed?

Definitely the latter, but possibly also the former: the authenticator
valve might call methods directly on the non-spec Request object,
instead of a ServletRequest object.

> If so, sounds like Filter is (sadly) not applicable for this case, and I
> have to create a custom Valve? Any tips on how to
> wrap org.apache.catalina.connector.Response - valve.invoke() does not take
> HttpServletResponse...

See the handy configuration parameter above and save yourself a lot of

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message