tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose MarĂ­a Zaragoza <>
Subject Re: Multiple JSESSIONID cookies being presented.
Date Tue, 08 Sep 2015 14:08:03 GMT
2015-09-08 15:51 GMT+02:00 Jeffrey Janner <>:
>> -----Original Message-----
>> From: Christopher Schultz []
>> Sent: Friday, September 04, 2015 12:46 PM
>> To: Tomcat Users List <>
>> Subject: Re: Multiple JSESSIONID cookies being presented.
>> Hash: SHA256
>> Jeffrey,
>> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
>> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
>> > also seeing this on Windows (version doesn't matter), with Tomcat
>> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
>> >
>> > I have 2 contexts installed in Tomcat, one is ROOT, the other
>> > APP2. Both contexts start off at a login screen unique to the
>> > context and provided by it (not using container auth).
>> >
>> > When I connect to ROOT, no problem, but when I connect to APP2, I
>> > get 2 JSESSIONID cookies, one with the path "/" and the other with
>> > the path "/APP2/".
>> I would expect this behavior: you have one ROOT app (cookie path=/)
>> and one APP2 app (cookie path=/APP2). Your browser will send both
>> cookies to /APP2 because / is a prefix of /APP2.
> Chris -
> I wanted to come back to this case.
> Why is the above "expected behavior"?
> The client is connecting directly as "https://hostname/APP2" and never going directly
to the ROOT app, yet gets both JSESSIONIDs from Tomcat on first connection.  To me, this seems
like a bug.
> Only being an admin, I've not fully read the spec, so not sure if the above is really
expected behavior.

The following rules apply to choosing applicable cookie-values from
   among all the cookies the user agent has.

Domain Selection
        The origin server's fully-qualified host name must domain-match
        the Domain attribute of the cookie.

   Path Selection
        The Path attribute of the cookie must match a prefix of the

   Max-Age Selection
        Cookies that have expired should have been discarded and thus
        are not forwarded to an origin server.

   If multiple cookies satisfy the criteria above, they are ordered in
   the Cookie header such that those with more specific Path attributes
   precede those with less specific.  Ordering with respect to other
   attributes (e.g., Domain) is unspecified.

> Now, it's been doing this since at least Tomcat 6, I have one running now, and I've never
had a problem with it using direct connections.  But now we are front-ending with HaProxy
and going to two backend tomcats, and using the JSESSIONID to support sticky-sessions.  I'm
afraid the multiple cookies is confusing HaProxy. (Yes, I'm going to ask that user community.)
> Jeff

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message