tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose María Zaragoza <demablo...@gmail.com>
Subject Re: Multiple JSESSIONID cookies being presented.
Date Tue, 08 Sep 2015 21:11:05 GMT
2015-09-08 22:57 GMT+02:00 Jeffrey Janner <Jeffrey.Janner@polydyne.com>:
>> -----Original Message-----
>> From: Jose María Zaragoza [mailto:demablogia@gmail.com]
>> Sent: Tuesday, September 08, 2015 9:08 AM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Multiple JSESSIONID cookies being presented.
>>
>> 2015-09-08 15:51 GMT+02:00 Jeffrey Janner <Jeffrey.Janner@polydyne.com>:
>> >> -----Original Message-----
>> >> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> >> Sent: Friday, September 04, 2015 12:46 PM
>> >> To: Tomcat Users List <users@tomcat.apache.org>
>> >> Subject: Re: Multiple JSESSIONID cookies being presented.
>> >>
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA256
>> >>
>> >> Jeffrey,
>> >>
>> >> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
>> >> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
>> >> > also seeing this on Windows (version doesn't matter), with Tomcat
>> >> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
>> >> >
>> >> > I have 2 contexts installed in Tomcat, one is ROOT, the other
>> >> > APP2. Both contexts start off at a login screen unique to the
>> >> > context and provided by it (not using container auth).
>> >> >
>> >> > When I connect to ROOT, no problem, but when I connect to APP2, I
>> >> > get 2 JSESSIONID cookies, one with the path "/" and the other with
>> >> > the path "/APP2/".
>> >>
>> >> I would expect this behavior: you have one ROOT app (cookie path=/)
>> >> and one APP2 app (cookie path=/APP2). Your browser will send both
>> >> cookies to /APP2 because / is a prefix of /APP2.
>> >>
>> > Chris -
>> > I wanted to come back to this case.
>> > Why is the above "expected behavior"?
>> > The client is connecting directly as "https://hostname/APP2" and never
>> going directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on
>> first connection.  To me, this seems like a bug.
>> > Only being an admin, I've not fully read the spec, so not sure if the
>> above is really expected behavior.
>>
>>
>> http://www.ietf.org/rfc/rfc2109.txt
>>
>> The following rules apply to choosing applicable cookie-values from
>>    among all the cookies the user agent has.
>>
>> Domain Selection
>>         The origin server's fully-qualified host name must domain-match
>>         the Domain attribute of the cookie.
>>
>>    Path Selection
>>         The Path attribute of the cookie must match a prefix of the
>>         request-URI.
>>
>>    Max-Age Selection
>>         Cookies that have expired should have been discarded and thus
>>         are not forwarded to an origin server.
>>
>>    If multiple cookies satisfy the criteria above, they are ordered in
>>    the Cookie header such that those with more specific Path attributes
>>    precede those with less specific.  Ordering with respect to other
>>    attributes (e.g., Domain) is unspecified.
>>
>>
>>
> Thanks for the clarification of what's supposed to happen on receipt, Jose.
> However, I am describing what happens on first contact from the client to the server.
> The browser sends https://hostname/APP2, and Tomcat returns:
> JSESSIONID=XXXX, path=/    and   JSESSIONID=YYYY, path=/APP2/

Sorry, I misunderstood
IMHO, that behaviour is strange .
Indeed, it doesn't make sense for me to return different id ( XXXX ,
YYYY ) if you are accesing to only one context (/APP2)

Are you sure that your webapp deployed in /APP2 is not accesing to
resources ( session-aware resources as JSP, servlet, .. .I mean)
stored in ROOT context ?


>
> My contention is that it shouldn't be sending the first one, since it should never route
the request to the ROOT app, so it should not be generating a cookie for it.
>
> However, taking what you say above at face value, are you saying that HaProxy should
only be forwarding the cookie with path=/APP2/ or should it forward all of them and let Tomcat
figure it out.

I don't know.
In a later email, I talked you about using another cookie ( SRV_ID )
to balance between backend servers. This feature is implemented by HA
Proxy ( 1.5 at least )


>
> Jeff

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message