tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Näher <>
Subject Webapp with underscore in it's name leads to failed session-cookies
Date Wed, 22 Jun 2016 08:28:25 GMT

I'm working on a JSF (myfaces) project that runs on Tomcat. First I thought it was a myfaces
but they told me that the container is responsible for the session cookie, so now I'm here

I've created a minimal JSF test project and I called it jsf_test. When I open the tomcat manager
and the webapp's welcome page in the browser, I can see that every reload of the webapp page
the session count.

In the web console of firefox, I could see that the session cookie was set with the path /jsf%5ftest,

while other cookies (set by myfaces) were correctly set with the path /jsf_test.
It looks like firefox treats /jsf_test and /jsf%5ftest as different pathes and therefore does
not send 
the session cookie with the next request, while chromium ignores the difference.

I also noticed that the issue does not occur on every deployment / tomcat restart. It looks
like the 
webapp name is stored internally during initialization, and depending on little timing variations

(race condition ?), it is either initialized to the escaped or the unescaped value. Tomcat
always displays the unescaped name.

Among my teammates, some are always affected, some occasionally, and some never.

After renaming the webapp to "jsftest", the session count increments were gone.
The issue also occurs with a minus in the name, like "jsf-test".

Unfortunately, my real-world productive project has an underscore in it's name too, but as
many users 
have bookmarked it, I can't just rename it.

Is this a bug in tomcat ?

OS: Linux / Windows
Tomcat version: 8.0.36
JDK: Oracle JDK 1.8.0_92
Within the team, we're using different minor verions, but I've tested with the newest ones.

Markus Näher

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message