tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Multiple JSESSIONID
Date Sat, 02 Mar 2013 13:43:57 GMT
Hash: SHA256


On 3/1/13 2:46 PM, Jose MarĂ­a Zaragoza wrote:
> I wonder why browsers don't send only one JSESSIONID If I request
> an URL as and it has
> got 2 cookies with the same name, one for and
> another for  , IMHO, that a 
> browser should send the most restrictive

That would significantly limit the usefulness of cookies. The cookie's
"path" is really a path prefix. It would have been nice of the cookie
spec had been written so that clients sending a Cookie: header would
indicate the original path, but that's not the case so you have to
implement some workarounds sometimes.

> Indeed, I don't know if there is some browser working like that.

It would violate the spec, which probably means that MSIE can be
configured to behave as you describe.

> Christopher, if the browser sends a JSESSIONID to Tomcat and this
> JSESSIONID is not tracked by the server , does any error happen ?
> or is it created a new session with a new identifier ?

Tomcat ignores the session id unless a) the webapp (or a filter,
valve, etc.) requests the session or b) the server is configured to
strictly adhere to the servlet specification (or both). Sending an
invalid session id is not an error. If the session id is invalid and
the webapp requests a session, then a new session - with a new id -
will be created.

If the session id is invalid and strict spec compliance is enabled
(and the webapp does *not* specifically request the session), I
suspect the session id will be ignored entirely (but haven't tested
Tomcat under this configuration, nor have I read the code).

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message