tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Parallel Deployment & Sessions: What am I Missing?
Date Fri, 12 Aug 2011 20:49:41 GMT
Hash: SHA1


On 8/12/2011 3:02 PM, Jonathan Rosenberg wrote:
> Mystery solved, I think.
> I did a little more digging around & discovered that my cookie had
> two JSESSIONID values. I didn't even know this was possible.

Yep, cookies can have multiple values.

You aren't doing this, but you can get two separate JSESSIONID cookies
if you have one context nested inside the other. The paths are
different, but one of them is a prefix of the other, so the nested
context gets both cookies. You can confuse the hell out of yourself
doing that (we did!) and it's best to avoid those situations.

Tomcat is actually (thankfully!) tolerant of multiple JSESSIONID values:
if there are many JSESSIONID cookies in the request, Tomcat loops
through all of them to see if *any* are valid. The first valid one gets
used (though there is no guarantee of the order in which they are
tested). If none are valid (last time I read the code), it tries to use
the last JSESSIONID requested as the new session id. I think that's
probably not true anymore due to the (semi-) recent changes to session
id management to help mitigate session hijacking and other nasty things.

So, the JSESSIONID you were seeing probably had a path that wasn't the
same as the webapp you are playing with, and that was the one you were
looking at. Tomcat was ignoring it because it wasn't valid but you
really had no way to tell without more invasive testing.

> Neither of the values matched Tomcat's session id & the browser was 
> unable to update the cookie's JSESSIONID properly (no surprise).
> I deleted this rogue cookie & all apears to be working as expected.

Glad you got your problem solved.

> Lots of moving parts ...


- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message