tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <>
Subject RE: Multiple JSESSIONID cookies being presented.
Date Tue, 08 Sep 2015 13:51:13 GMT
> -----Original Message-----
> From: Christopher Schultz []
> Sent: Friday, September 04, 2015 12:46 PM
> To: Tomcat Users List <>
> Subject: Re: Multiple JSESSIONID cookies being presented.
> Hash: SHA256
> Jeffrey,
> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
> > also seeing this on Windows (version doesn't matter), with Tomcat
> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> >
> > I have 2 contexts installed in Tomcat, one is ROOT, the other
> > APP2. Both contexts start off at a login screen unique to the
> > context and provided by it (not using container auth).
> >
> > When I connect to ROOT, no problem, but when I connect to APP2, I
> > get 2 JSESSIONID cookies, one with the path "/" and the other with
> > the path "/APP2/".
> I would expect this behavior: you have one ROOT app (cookie path=/)
> and one APP2 app (cookie path=/APP2). Your browser will send both
> cookies to /APP2 because / is a prefix of /APP2.
Chris -
I wanted to come back to this case. 
Why is the above "expected behavior"?
The client is connecting directly as "https://hostname/APP2" and never going directly to the
ROOT app, yet gets both JSESSIONIDs from Tomcat on first connection.  To me, this seems like
a bug.
Only being an admin, I've not fully read the spec, so not sure if the above is really expected
Now, it's been doing this since at least Tomcat 6, I have one running now, and I've never
had a problem with it using direct connections.  But now we are front-ending with HaProxy
and going to two backend tomcats, and using the JSESSIONID to support sticky-sessions.  I'm
afraid the multiple cookies is confusing HaProxy. (Yes, I'm going to ask that user community.)

View raw message