tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose MarĂ­a Zaragoza <>
Subject Re: Multiple JSESSIONID
Date Fri, 01 Mar 2013 19:46:05 GMT
Thanks for your answers.

I wonder why browsers don't send only one JSESSIONID
If I request an URL as
and it has got 2 cookies with the same name, one for
and another for  , IMHO, that a
browser should send the most restrictive

Indeed, I don't know if there is some browser working like that.

if the browser sends a JSESSIONID to Tomcat and this JSESSIONID is not
tracked by the server , does any error happen ?  or is it created a
new session with a new identifier ?

Thanks and regards

2013/2/28 Caldarale, Charles R <>:
>> From: Nick Williams []
>> Subject: Re: Multiple JSESSIONID
>> > That's interesting. I would recommend a servlet filter that captures
>> > addCookie and friends to see where that "extra" one is being added.
>> The two JSESSIONIDs immediately above are in the request, so they're added
>> by the browser, not the server
> Unless the browser is part of a hacking attack, the JSESSIONID cookies originally came
from the server.  The filter would have to be applied to both the ROOT and /app/myapplication
contexts, so it might best be placed in conf/web.xml to cover all webapps.
>  - Chuck
is thus for use only by the intended recipient. If you received this in error, please contact
the sender and delete the e-mail and its attachments from all computers.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message