tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Williams <nicho...@nicholaswilliams.net>
Subject Re: Multiple JSESSIONID
Date Fri, 01 Mar 2013 20:00:11 GMT
APOLOGIES FOR TOP POSTING! (see below, were I correctly inline post this apology)

On Mar 1, 2013, at 1:58 PM, Nick Williams wrote:

> Browsers send all of the cookies because that's the compliant thing to do. RFC-2109 [1]
says:
> 
>> If multiple cookies satisfy the criteria above, they are ordered in
>> the Cookie header such that those with more specific Path attributes
>> precede those with less specific.  Ordering with respect to other
>> attributes (e.g., Domain) is unspecified.
> 
> 
> Based on that, assuming Tomcat follows the rules Christopher says it does, you should
be okay. The /app/myapplication cookie should always come first, and assuming it is valid
Tomcat should always prefer it.
> 
> Nick
> 
> [1] http://www.ietf.org/rfc/rfc2109.txt

My apologies for top posting! I don't normally do that. Slip of the keyboard...

> 
> On Mar 1, 2013, at 1:46 PM, Jose MarĂ­a Zaragoza wrote:
> 
>> Thanks for your answers.
>> 
>> I wonder why browsers don't send only one JSESSIONID
>> If I request an URL as www.mydomain.com/app/myapplication/action.do
>> and it has got 2 cookies with the same name, one for www.mydomain.com/
>> and another for www.mydomain.com/app/myapplication/  , IMHO, that a
>> browser should send the most restrictive
>> 
>> Indeed, I don't know if there is some browser working like that.
>> 
>> 
>> Christopher,
>> if the browser sends a JSESSIONID to Tomcat and this JSESSIONID is not
>> tracked by the server , does any error happen ?  or is it created a
>> new session with a new identifier ?
>> 
>> Thanks and regards
>> 
>> 
>> 
>> 2013/2/28 Caldarale, Charles R <Chuck.Caldarale@unisys.com>:
>>>> From: Nick Williams [mailto:nicholas@nicholaswilliams.net]
>>>> Subject: Re: Multiple JSESSIONID
>>> 
>>>>> That's interesting. I would recommend a servlet filter that captures
>>>>> addCookie and friends to see where that "extra" one is being added.
>>> 
>>>> The two JSESSIONIDs immediately above are in the request, so they're added
>>>> by the browser, not the server
>>> 
>>> Unless the browser is part of a hacking attack, the JSESSIONID cookies originally
came from the server.  The filter would have to be applied to both the ROOT and /app/myapplication
contexts, so it might best be placed in conf/web.xml to cover all webapps.
>>> 
>>> - Chuck
>>> 
>>> 
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL
and is thus for use only by the intended recipient. If you received this in error, please
contact the sender and delete the e-mail and its attachments from all computers.
>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
> 


Mime
View raw message