tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Multiple JSESSIONID cookies being presented.
Date Fri, 04 Sep 2015 17:45:30 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm 
> also seeing this on Windows (version doesn't matter), with Tomcat 
> 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> 
> I have 2 contexts installed in Tomcat, one is ROOT, the other
> APP2. Both contexts start off at a login screen unique to the
> context and provided by it (not using container auth).
> 
> When I connect to ROOT, no problem, but when I connect to APP2, I
> get 2 JSESSIONID cookies, one with the path "/" and the other with
> the path "/APP2/".

I would expect this behavior: you have one ROOT app (cookie path=/)
and one APP2 app (cookie path=/APP2). Your browser will send both
cookies to /APP2 because / is a prefix of /APP2.

> On the Windows implementations, we are not seeing a problem, at
> least not one being reported.
> 
> On the Linux implementation, the end user will occasionally get 
> immediately kicked out with an invalid session immediately after 
> providing credentials. The access logs show a single
> jsessionid=xxx being provided on the POST URL.

The POST to j_security_check?

Are you using request.encodeURL() to build the <form> action URL, or
are you building it manually?

I believe Tomcat prefers the Cookie-based session id to anything
coming-in from the URL, and I do know it will search all JSESSIONID
cookies for any that match a valid session (not just the first one) in
the current application. So logging-in should ... always work.

> Amazingly, sometimes that goes through and lets the user login, so
> my theory is that the browser is sometimes picking the wrong path. 
> (Also, theory, the "/" cookie is being generated by a request for 
> "/favicon.ico" just before the request for the login page.)

You should make sure that anything that doesn't require authentication
specifically mentions that in web.xml, otherwise you'll get weird
things happening like that.

> So my question is:  Is there anything I can do from a
> configuration perspective to get it to NOT send the "/" cookie for
> APP2?

Not really... other than changing from ROOT to APP1 or whatever.
Overlapping URL spaces for applications leads to tears.

> Deployment details:

I think there's nothing in here that would change anything.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6di6AAoJEBzwKT+lPKRY77QQAKzjMEDTVHYzqeFfhS9F9XUO
qrIwlcXlxolclLO2CYaBNoYgcPm1CM8UPMc88s3ysmjLU37dohR8rd1Ukkyp9hdG
0hRV7siKip3t2sj/EDBmslJOKyShlURAqLne14MkQaVvYz/i985MUDrRnlx9zujf
VjR5T0SV+M20ZOXoMN8S1ME09GMJktRajSs5T8rllwvMg+YtdmTo+hWfuerJNrj0
yRBVFkAVs1UOH64RvHud+M3lYleb2UrrE/ZxofDihBcmipKWNEV6W/fu/7uEQVLc
Hysc6CDh90L7xmoV8ndR6QoqNr4gX04mghRaU+PZiB6uPuPgYpJDaJ1wDITOrFnf
BVkXYRh1KICMzSyW1T2K8ZU+NkG4dp0RVI++IzjOuDy+i/EJ9opnNyRols8NkC0w
QLOueV6EbWZFbo9tZxJmaRS7Y7RObcbg/uk5JE9trK4KGcB/MtJQXWhk4Su5ZokS
5+knrgBbWbPcgH5x/1ten/BGkndp28C85FDci0AgsAFCbmim7KuuSL1oRRtLM5kw
WNOeWpJzOQ3FAHV6TqPWLiAclo9/1gTMJZKQtxH+sW5OWYEa/9Ch2ZCArewy5Z+m
KaNMfnXBrXlL9MGYyIQKiFVRUCyn/cyKKAlj9nLVbIBIsHeslCE7zq8zE15EOHVn
7v5mbzif9Ira1ZGLFBjC
=5N0l
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message