tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Multiple JSESSIONID cookies being presented.
Date Thu, 10 Sep 2015 19:23:41 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 9/10/15 12:26 PM, Jeffrey Janner wrote:
> Thanks for all the help guys. I think I've sussed out what is
> going on here.  Now just have to get the Dev guys to address it.
> 
> After spending a good bit of time clearing and watching cookies
> and access logs, both with and without a favicon.ico file, I found
> that the doubling was happening only if the file was missing.  I
> checked the error.jsp file and it does have session=true set, and
> if the icon file is missing, the error.jsp is definitely being
> sent.
> 
> So it looks like the possible solutions are: 1) provide a
> favicon.ico file.

This fixes the symptom, not the problem. You'll get the same problem
with clients who request /apple-touch-icon.png, /robots.txt, or just
about any other file that ends up resulting in a 404. This could be
something from within the application itself, and will (apparently)
cause mass confusion.

> 2) remove the session=true setting from the error page.

This is the right answer. Do you really need the session in error.jsp?

> 3) somehow not send the error.jsp when a sub-link (image, script, 
> etc.) results in a 404.
> 
> 4) Have the login page of APP2 provide it's own icon <link> 
> directive (it doesn't currently have one.)

> Any other options?

If you absolutely need access to the session in your error.jsp file,
you can do this:

<?jsp session="false" ?>
<%
  HttpSession session = request.getSession(false);

  ...
%>

This will prevent sessions from being created when there isn't already
a session. You'll have to check the code for error.jsp to make sure
that no code uses the session before checking it for null -- because
session="true" guarantees that the "session" reference will be non-null.

That will allow you to use session information in error.jsp if a
session already exists, but not create a superfluous session when one
does not (yet) exist.

Back to Tomcat's session management: Tomcat *can* handle this
situation properly: it will try all JSESSIONID cookies it gets to find
a valid one in the current web application. So, multiple JSESSIONID
cookies won't confuse Tomcat. Some other component must be
mis-understanding the session identifier in some way.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8di9AAoJEBzwKT+lPKRY9FUP/0m2SNIG3nW9dsIRCr1q/SWG
5O/s5VrDs7Rvk1hWfbGTlhfuL0zkeCaL/GQE4wa3KQo4qHPhtzYlIgZstEeaAQqk
kLwU4JHzJcTfKMKog6/O0kFwysYzl4y/EX+UoBcY3h3N5xkQ0RGNOYEF7fSr+6NA
Uuxo6WVxQoP3Ce/64EZ1P+uxglLJF+pML6OViEHEK4qgL3SY1UY0tOFpcBa43Gqt
Y/Z7I1SvQhRt2VGQzyatHRypAMxynJfHjvV/gyF3k1/XFEeWDDpET4guaazD1uqW
fE5Lgt3Lxr1WyeEXxeJz4jOlLBty0bm9m16YFdxCsNjVy7v7Uy7M1Hd0iIfoktCV
Vp8nzuj+qxVMpzua2N/J7e9slYnIZOePOFFrTQbWx1S10QCvgRuprN3lyZEU29oP
PywXQU/F9u/xFPk6Z5+xdMrSEvL+ykuwoyV8Ef2CObZ0Ibsjx9WoBAz/hRLpeeji
TngPwFvDrU7jMR36SQ+vCR8PQSjQo5P2P+KZE735uIgG/iz3F6gQ+8R9E0p1iutL
iLoF2alPkSaoWnBTrlDhV+EvKtjKl2FWuRrs5sHGWG6FowS+lKnaAfhkq3ArGLdS
j4JFculpE80Ys9saoetvTlQ35dTi1KdmL+gzixI/EjUVkS2azsW6kYxkwliig4gN
UVa6wuFsD/I9JcMCKeIp
=1OQG
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message