tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Multiple JSESSIONID cookies being presented.
Date Fri, 04 Sep 2015 17:45:30 GMT
Hash: SHA256


On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm 
> also seeing this on Windows (version doesn't matter), with Tomcat 
> 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> I have 2 contexts installed in Tomcat, one is ROOT, the other
> APP2. Both contexts start off at a login screen unique to the
> context and provided by it (not using container auth).
> When I connect to ROOT, no problem, but when I connect to APP2, I
> get 2 JSESSIONID cookies, one with the path "/" and the other with
> the path "/APP2/".

I would expect this behavior: you have one ROOT app (cookie path=/)
and one APP2 app (cookie path=/APP2). Your browser will send both
cookies to /APP2 because / is a prefix of /APP2.

> On the Windows implementations, we are not seeing a problem, at
> least not one being reported.
> On the Linux implementation, the end user will occasionally get 
> immediately kicked out with an invalid session immediately after 
> providing credentials. The access logs show a single
> jsessionid=xxx being provided on the POST URL.

The POST to j_security_check?

Are you using request.encodeURL() to build the <form> action URL, or
are you building it manually?

I believe Tomcat prefers the Cookie-based session id to anything
coming-in from the URL, and I do know it will search all JSESSIONID
cookies for any that match a valid session (not just the first one) in
the current application. So logging-in should ... always work.

> Amazingly, sometimes that goes through and lets the user login, so
> my theory is that the browser is sometimes picking the wrong path. 
> (Also, theory, the "/" cookie is being generated by a request for 
> "/favicon.ico" just before the request for the login page.)

You should make sure that anything that doesn't require authentication
specifically mentions that in web.xml, otherwise you'll get weird
things happening like that.

> So my question is:  Is there anything I can do from a
> configuration perspective to get it to NOT send the "/" cookie for
> APP2?

Not really... other than changing from ROOT to APP1 or whatever.
Overlapping URL spaces for applications leads to tears.

> Deployment details:

I think there's nothing in here that would change anything.

- -chris
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message