tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wendy Gong" <>
Subject Fw: Problem with session cookie in Tomcat 5.5.17
Date Fri, 04 Aug 2006 00:16:09 GMT

We are porting our application from Tomcat 4.1.24 to Tomcat 5.5.17 and noticed there is a
change of behavior in Tomcat 5 which causes our OpenSTA testing scripts fail to run:

Tomcat 5 can send down more than one sessionIDs to the web client with the same path.



will send down 2 "Set-Cookie" headers with the same context path. The first one contains the
session ID created by the first "request.getSession()" and the second one contains the second
session ID created by the second "request.getSession()".

OpenSTA appears to pick up the first session ID instead of the second one. This basically
causes the subsequent requests containing the wrong session ID. 

Although we can argue that it is the client's responsibility to pick up the second sesson
ID, it would be much more logical and robust for the server to send down only one session
ID with the same path. Tomcat 4 seems to behave correctly and it works happily with OpenSTA.

I checked the source code "" and "doGetSession"
method always add a new session cookie into the response once a new session is created, without
checking if there is an existing session cookie with the same path in the response object.

One way to avoid this problem is to modify the application to ensure only one new session
is created. Since we are using struts, the first new session is actually created in struts
action class, we will have to manually remove the first "Set-Cookie" header in the response
for the regression test to work. 

Since this is not reported in the bug list, we would like to know if the above behavior of
Tomcat 5 is a problem or it is by design. If you think it is a bug, please let us know if
you will be able to fix it in the near future.



Weihong Gong
Fujitsu Australia Software Technology
Address: 14 Rodborough Road, Frenchs Forest NSW 2086
Tel: +61 2 9452 9062
Fax: +61 2 9975 2899
Mobile: +61 407486297
Web site:
This is an email from Fujitsu Australia Software Technology Pty Ltd, ABN 27 003 693 481. It
is confidential to the ordinary user of the email address to which it was addressed and may
contain copyright and/or legally privileged information. No one else may read, print, store,
copy or forward all or any of it or its attachments. If you receive this email in error, please
return to sender. Thank you.

If you do not wish to receive commercial email messages from Fujitsu Australia Software Technology
Pty Ltd, please email

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message