tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Multiple JSESSIONID
Date Sat, 02 Mar 2013 13:43:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jose,

On 3/1/13 2:46 PM, Jose MarĂ­a Zaragoza wrote:
> I wonder why browsers don't send only one JSESSIONID If I request
> an URL as www.mydomain.com/app/myapplication/action.do and it has
> got 2 cookies with the same name, one for www.mydomain.com/ and
> another for www.mydomain.com/app/myapplication/  , IMHO, that a 
> browser should send the most restrictive

That would significantly limit the usefulness of cookies. The cookie's
"path" is really a path prefix. It would have been nice of the cookie
spec had been written so that clients sending a Cookie: header would
indicate the original path, but that's not the case so you have to
implement some workarounds sometimes.

> Indeed, I don't know if there is some browser working like that.

It would violate the spec, which probably means that MSIE can be
configured to behave as you describe.

> Christopher, if the browser sends a JSESSIONID to Tomcat and this
> JSESSIONID is not tracked by the server , does any error happen ?
> or is it created a new session with a new identifier ?

Tomcat ignores the session id unless a) the webapp (or a filter,
valve, etc.) requests the session or b) the server is configured to
strictly adhere to the servlet specification (or both). Sending an
invalid session id is not an error. If the session id is invalid and
the webapp requests a session, then a new session - with a new id -
will be created.

If the session id is invalid and strict spec compliance is enabled
(and the webapp does *not* specifically request the session), I
suspect the session id will be ignored entirely (but haven't tested
Tomcat under this configuration, nor have I read the code).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlEyAh0ACgkQ9CaO5/Lv0PC7WQCfUBpEyteBM1QnwDP60bD7E931
vbQAn38vJkmxS4Fd7mDRU/ORmIZ8XofD
=k4w/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message