tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Williams <>
Subject Re: Multiple JSESSIONID
Date Fri, 01 Mar 2013 19:58:50 GMT
Browsers send all of the cookies because that's the compliant thing to do. RFC-2109 [1] says:

> If multiple cookies satisfy the criteria above, they are ordered in
> the Cookie header such that those with more specific Path attributes
> precede those with less specific.  Ordering with respect to other
> attributes (e.g., Domain) is unspecified.

Based on that, assuming Tomcat follows the rules Christopher says it does, you should be okay.
The /app/myapplication cookie should always come first, and assuming it is valid Tomcat should
always prefer it.



On Mar 1, 2013, at 1:46 PM, Jose MarĂ­a Zaragoza wrote:

> Thanks for your answers.
> I wonder why browsers don't send only one JSESSIONID
> If I request an URL as
> and it has got 2 cookies with the same name, one for
> and another for  , IMHO, that a
> browser should send the most restrictive
> Indeed, I don't know if there is some browser working like that.
> Christopher,
> if the browser sends a JSESSIONID to Tomcat and this JSESSIONID is not
> tracked by the server , does any error happen ?  or is it created a
> new session with a new identifier ?
> Thanks and regards
> 2013/2/28 Caldarale, Charles R <>:
>>> From: Nick Williams []
>>> Subject: Re: Multiple JSESSIONID
>>>> That's interesting. I would recommend a servlet filter that captures
>>>> addCookie and friends to see where that "extra" one is being added.
>>> The two JSESSIONIDs immediately above are in the request, so they're added
>>> by the browser, not the server
>> Unless the browser is part of a hacking attack, the JSESSIONID cookies originally
came from the server.  The filter would have to be applied to both the ROOT and /app/myapplication
contexts, so it might best be placed in conf/web.xml to cover all webapps.
>> - Chuck
and is thus for use only by the intended recipient. If you received this in error, please
contact the sender and delete the e-mail and its attachments from all computers.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message