tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <Jeffrey.Jan...@PolyDyne.com>
Subject RE: Multiple JSESSIONID cookies being presented.
Date Tue, 08 Sep 2015 20:57:21 GMT
> -----Original Message-----
> From: Jose MarĂ­a Zaragoza [mailto:demablogia@gmail.com]
> Sent: Tuesday, September 08, 2015 9:08 AM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: Multiple JSESSIONID cookies being presented.
> 
> 2015-09-08 15:51 GMT+02:00 Jeffrey Janner <Jeffrey.Janner@polydyne.com>:
> >> -----Original Message-----
> >> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> >> Sent: Friday, September 04, 2015 12:46 PM
> >> To: Tomcat Users List <users@tomcat.apache.org>
> >> Subject: Re: Multiple JSESSIONID cookies being presented.
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> Jeffrey,
> >>
> >> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> >> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
> >> > also seeing this on Windows (version doesn't matter), with Tomcat
> >> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> >> >
> >> > I have 2 contexts installed in Tomcat, one is ROOT, the other
> >> > APP2. Both contexts start off at a login screen unique to the
> >> > context and provided by it (not using container auth).
> >> >
> >> > When I connect to ROOT, no problem, but when I connect to APP2, I
> >> > get 2 JSESSIONID cookies, one with the path "/" and the other with
> >> > the path "/APP2/".
> >>
> >> I would expect this behavior: you have one ROOT app (cookie path=/)
> >> and one APP2 app (cookie path=/APP2). Your browser will send both
> >> cookies to /APP2 because / is a prefix of /APP2.
> >>
> > Chris -
> > I wanted to come back to this case.
> > Why is the above "expected behavior"?
> > The client is connecting directly as "https://hostname/APP2" and never
> going directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on
> first connection.  To me, this seems like a bug.
> > Only being an admin, I've not fully read the spec, so not sure if the
> above is really expected behavior.
> 
> 
> http://www.ietf.org/rfc/rfc2109.txt
> 
> The following rules apply to choosing applicable cookie-values from
>    among all the cookies the user agent has.
> 
> Domain Selection
>         The origin server's fully-qualified host name must domain-match
>         the Domain attribute of the cookie.
> 
>    Path Selection
>         The Path attribute of the cookie must match a prefix of the
>         request-URI.
> 
>    Max-Age Selection
>         Cookies that have expired should have been discarded and thus
>         are not forwarded to an origin server.
> 
>    If multiple cookies satisfy the criteria above, they are ordered in
>    the Cookie header such that those with more specific Path attributes
>    precede those with less specific.  Ordering with respect to other
>    attributes (e.g., Domain) is unspecified.
> 
> 
> 
Thanks for the clarification of what's supposed to happen on receipt, Jose.
However, I am describing what happens on first contact from the client to the server.
The browser sends https://hostname/APP2, and Tomcat returns:
JSESSIONID=XXXX, path=/    and   JSESSIONID=YYYY, path=/APP2/

My contention is that it shouldn't be sending the first one, since it should never route the
request to the ROOT app, so it should not be generating a cookie for it.

However, taking what you say above at face value, are you saying that HaProxy should only
be forwarding the cookie with path=/APP2/ or should it forward all of them and let Tomcat
figure it out.

Jeff
Mime
View raw message