tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: HtttServletRequest.getSession()
Date Wed, 15 Sep 2010 14:34:11 GMT
Hash: SHA1


Thanks for further investigation. Comments, as always, are below.

On 9/14/2010 6:17 PM, André Warnier wrote:
>  3.3.3  Cookie Management  If a user agent receives a Set-Cookie2
>    response header whose NAME is the same as that of a cookie it has
>    previously stored, the new cookie supersedes the old when: the old
>    and new Domain attribute values compare equal, using a case-
>    insensitive string-compare; and, the old and new Path attribute
>    values string-compare equal (case-sensitive).

This was the business I was looking for.

> Personal interpretation, inasmuch as necessary :
> Neither the "Port" nor the "Secure" attributes are "identifiers" of the
> cookie; 2 cookies which have the same name and domain and path, but
> different "Port" and/or "Secure" attributes, are the same cookie, and
> one overwrites the other.


> So a browser should never return 2 cookies with the same name and path,
> with a request to the same host.

Well, the browser doesn't have to report the path to the server when
sending a request. It is still (definitely!) possible to get more than
one cookie with the same name yet different values sent to the server.
Believe me, I've seen it happen and had to fix my nested web application
paths to prevent that (self-inflicted) stupidity from interfering with
my webapp's operation.

>       2. If the attribute is present but has no value (e.g., Port), the
>          cookie MUST only be sent to the request-port it was received
>          from.

That's interesting: "use the current port" without being explicit.

> An interesting question is still this :
> if a server sends 2 cookies to a browser, with the same name and path,
> but a diffrent domain : cookie 1 has a domain "",
> and cookie 2 a domain of "".
> According to what I understand, the browser should cache both cookie
> separately, as they differ by the domain attribute.
> But should the browser return both cookies with the next request to the
> same host ?


- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message