tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: HtttServletRequest.getSession()
Date Tue, 14 Sep 2010 14:16:04 GMT
Hash: SHA1


On 9/14/2010 7:55 AM, Mark Thomas wrote:
> On 14/09/2010 10:40, Brian McBride wrote:
>>  The javadoc states this call returns the "session associated with the
>> request".  I'm trying to figure out what "the session associated with
>> the request" actually means.
>> Specifically, if I have the same client sending https and http requests
>> intermixed in time, will there be two sessions objects, one for the
>> secure requests and one for the insecure ones, or just one.
> It depends where the session is created. Sessions created under http
> should transition to https (and back) without a problem. If you create
> the session under https then the session will not transition to http.
> The next http request will trigger a new session to be created.

Just for my own edification, consider the above scenario, and then
follow these steps:

0. [Browser has two JSESSIONID cookies: one secure=true and one
1. Browser makes an HTTPS connection to the server and sends both cookies
2. Application code calls request.getSession()

Which cookie does Tomcat end up using? My experience with Tomcat and
foolish JSESSIONID cookie handling (a big mistake in the past with
nested URL spaces and proxied session ids) taught me that Tomcat will
take the JSESSIONID cookies from the request and try them all: the first
one that is valid wins.

Does this mean that the session chosen during step #2 above is entirely
dependent upon the order in which the client sends the JSESSIONID
cookies? Or, does Tomcat prefer the HTTPS one when in HTTPS mode?

I'd read the code, but I have forgotten where that code was when I read
it long ago. (*ducks*)

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message