Multiple JSESSIONID cookies being presented.

Discussion:

Jeffrey Janner

2015-09-04 16:37:31 UTC

Hi folks,
I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm also seeing this on Windows (version doesn't matter), with Tomcat 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
I have 2 contexts installed in Tomcat, one is ROOT, the other APP2. Both contexts start off at a login screen unique to the context and provided by it (not using container auth).
When I connect to ROOT, no problem, but when I connect to APP2, I get 2 JSESSIONID cookies, one with the path "/" and the other with the path "/APP2/".
On the Windows implementations, we are not seeing a problem, at least not one being reported.
On the Linux implementation, the end user will occasionally get immediately kicked out with an invalid session immediately after providing credentials. The access logs show a single jsessionid=xxx being provided on the POST URL. Amazingly, sometimes that goes through and lets the user login, so my theory is that the browser is sometimes picking the wrong path. (Also, theory, the "/" cookie is being generated by a request for "/favicon.ico" just before the request for the login page.)

So my question is: Is there anything I can do from a configuration perspective to get it to NOT send the "/" cookie for APP2?

Deployment details:
Linux is being fronted by an HaProxy server, but the traffic appears to be staying on one host.
Server.xml is essentially the basic one provided with install. Port # and access log information is modified and has RemoteIpValve setup so we can log the end user's IP.
Apps are deployed as war files with static context.xml files in Catalina/localhost. Those files all look like:
<Context>
<Manager pathname="" />
<Resource ...jdbc connection info.... />
</Context>
War files do get exploded. I can't find anything in the web.xml files that have anything to do with cookies.

Any help here would be appreciated.

Jeffrey Janner

Christopher Schultz

2015-09-04 17:45:30 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

Post by Jeffrey Janner
I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
also seeing this on Windows (version doesn't matter), with Tomcat
7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
I have 2 contexts installed in Tomcat, one is ROOT, the other
APP2. Both contexts start off at a login screen unique to the
context and provided by it (not using container auth).
When I connect to ROOT, no problem, but when I connect to APP2, I
get 2 JSESSIONID cookies, one with the path "/" and the other with
the path "/APP2/".

I would expect this behavior: you have one ROOT app (cookie path=/)
and one APP2 app (cookie path=/APP2). Your browser will send both
cookies to /APP2 because / is a prefix of /APP2.

Post by Jeffrey Janner
On the Windows implementations, we are not seeing a problem, at
least not one being reported.
On the Linux implementation, the end user will occasionally get
immediately kicked out with an invalid session immediately after
providing credentials. The access logs show a single
jsessionid=xxx being provided on the POST URL.

The POST to j_security_check?

Are you using request.encodeURL() to build the <form> action URL, or
are you building it manually?

I believe Tomcat prefers the Cookie-based session id to anything
coming-in from the URL, and I do know it will search all JSESSIONID
cookies for any that match a valid session (not just the first one) in
the current application. So logging-in should ... always work.

Post by Jeffrey Janner
Amazingly, sometimes that goes through and lets the user login, so
my theory is that the browser is sometimes picking the wrong path.
(Also, theory, the "/" cookie is being generated by a request for
"/favicon.ico" just before the request for the login page.)

You should make sure that anything that doesn't require authentication
specifically mentions that in web.xml, otherwise you'll get weird
things happening like that.

Post by Jeffrey Janner
So my question is: Is there anything I can do from a
configuration perspective to get it to NOT send the "/" cookie for
APP2?

Not really... other than changing from ROOT to APP1 or whatever.
Overlapping URL spaces for applications leads to tears.
I think there's nothing in here that would change anything.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6di6AAoJEBzwKT+lPKRY77QQAKzjMEDTVHYzqeFfhS9F9XUO
qrIwlcXlxolclLO2CYaBNoYgcPm1CM8UPMc88s3ysmjLU37dohR8rd1Ukkyp9hdG
0hRV7siKip3t2sj/EDBmslJOKyShlURAqLne14MkQaVvYz/i985MUDrRnlx9zujf
VjR5T0SV+M20ZOXoMN8S1ME09GMJktRajSs5T8rllwvMg+YtdmTo+hWfuerJNrj0
yRBVFkAVs1UOH64RvHud+M3lYleb2UrrE/ZxofDihBcmipKWNEV6W/fu/7uEQVLc
Hysc6CDh90L7xmoV8ndR6QoqNr4gX04mghRaU+PZiB6uPuPgYpJDaJ1wDITOrFnf
BVkXYRh1KICMzSyW1T2K8ZU+NkG4dp0RVI++IzjOuDy+i/EJ9opnNyRols8NkC0w
QLOueV6EbWZFbo9tZxJmaRS7Y7RObcbg/uk5JE9trK4KGcB/MtJQXWhk4Su5ZokS
5+knrgBbWbPcgH5x/1ten/BGkndp28C85FDci0AgsAFCbmim7KuuSL1oRRtLM5kw
WNOeWpJzOQ3FAHV6TqPWLiAclo9/1gTMJZKQtxH+sW5OWYEa/9Ch2ZCArewy5Z+m
KaNMfnXBrXlL9MGYyIQKiFVRUCyn/cyKKAlj9nLVbIBIsHeslCE7zq8zE15EOHVn
7v5mbzif9Ira1ZGLFBjC
=5N0l
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Jeffrey Janner

2015-09-04 19:31:43 UTC

Permalink

-----Original Message-----
Sent: Friday, September 04, 2015 12:46 PM
Subject: Re: Multiple JSESSIONID cookies being presented.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,

I would expect this behavior: you have one ROOT app (cookie path=/)
and one APP2 app (cookie path=/APP2). Your browser will send both
cookies to /APP2 because / is a prefix of /APP2.

The POST to j_security_check?

Are you using request.encodeURL() to build the <form> action URL, or
are you building it manually?

EncodeUrl. And a check of a couple of sites, both linux and windows, shows that the jsessionid is being added to the action by EncodeUrl, regardless of cookie settings. So far, it is always the APP2 sessionID.

I believe Tomcat prefers the Cookie-based session id to anything
coming-in from the URL, and I do know it will search all JSESSIONID
cookies for any that match a valid session (not just the first one) in
the current application. So logging-in should ... always work.

You should make sure that anything that doesn't require authentication
specifically mentions that in web.xml, otherwise you'll get weird
things happening like that.

We don't actually use Tomcat container authentication at all.

Post by Jeffrey Janner
So my question is: Is there anything I can do from a
configuration perspective to get it to NOT send the "/" cookie for
APP2?

Not really... other than changing from ROOT to APP1 or whatever.
Overlapping URL spaces for applications leads to tears.

I could do that, though we'd like to keep it so that if no context is specified we still go to APP1, so the user's don't have to change all of their bookmarks. Perhaps with a redirect?

I think there's nothing in here that would change anything.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV6di6AAoJEBzwKT+lPKRY77QQAKzjMEDTVHYzqeFfhS9F9XUO
qrIwlcXlxolclLO2CYaBNoYgcPm1CM8UPMc88s3ysmjLU37dohR8rd1Ukkyp9hdG
0hRV7siKip3t2sj/EDBmslJOKyShlURAqLne14MkQaVvYz/i985MUDrRnlx9zujf
VjR5T0SV+M20ZOXoMN8S1ME09GMJktRajSs5T8rllwvMg+YtdmTo+hWfuerJNrj0
yRBVFkAVs1UOH64RvHud+M3lYleb2UrrE/ZxofDihBcmipKWNEV6W/fu/7uEQVLc
Hysc6CDh90L7xmoV8ndR6QoqNr4gX04mghRaU+PZiB6uPuPgYpJDaJ1wDITOrFnf
BVkXYRh1KICMzSyW1T2K8ZU+NkG4dp0RVI++IzjOuDy+i/EJ9opnNyRols8NkC0w
QLOueV6EbWZFbo9tZxJmaRS7Y7RObcbg/uk5JE9trK4KGcB/MtJQXWhk4Su5ZokS
5+knrgBbWbPcgH5x/1ten/BGkndp28C85FDci0AgsAFCbmim7KuuSL1oRRtLM5kw
WNOeWpJzOQ3FAHV6TqPWLiAclo9/1gTMJZKQtxH+sW5OWYEa/9Ch2ZCArewy5Z+m
KaNMfnXBrXlL9MGYyIQKiFVRUCyn/cyKKAlj9nLVbIBIsHeslCE7zq8zE15EOHVn
7v5mbzif9Ira1ZGLFBjC
=5N0l
-----END PGP SIGNATURE-----
---------------------------------------------------------------------

B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[

Christopher Schultz

2015-09-04 19:55:23 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

Post by Christopher Schultz

-----Original Message----- From: Christopher Schultz
Subject: Re: Multiple JSESSIONID cookies being presented.

Jeffrey,

Post by Jeffrey Janner
I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but
I'm also seeing this on Windows (version doesn't matter),
with Tomcat 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java
7U51.
I have 2 contexts installed in Tomcat, one is ROOT, the
other APP2. Both contexts start off at a login screen unique
to the context and provided by it (not using container
auth).
When I connect to ROOT, no problem, but when I connect to
APP2, I get 2 JSESSIONID cookies, one with the path "/" and
the other with the path "/APP2/".

I would expect this behavior: you have one ROOT app (cookie
path=/) and one APP2 app (cookie path=/APP2). Your browser will
send both cookies to /APP2 because / is a prefix of /APP2.

Post by Jeffrey Janner
On the Windows implementations, we are not seeing a problem,
at least not one being reported.
On the Linux implementation, the end user will occasionally
get immediately kicked out with an invalid session
immediately after providing credentials. The access logs show
a single jsessionid=xxx being provided on the POST URL.

The POST to j_security_check?

So... where does the POST go?

Post by Christopher Schultz
Are you using request.encodeURL() to build the <form> action URL,
or are you building it manually?

EncodeUrl. And a check of a couple of sites, both linux and
windows, shows that the jsessionid is being added to the action
by EncodeUrl, regardless of cookie settings. So far, it is always
the APP2 sessionID.

I'm not surprised that the session id is being added to the URL
regardless of cookie settings, because at that point, Tomcat might not
know for sure if the client can support cookies. (I'm sure there are
cases where it's obvious that cookies are in fact supported, but
Tomcat is not detecting it.)

I'm surprised that Tomcat would use the "wrong" session id for
URL-rewriting when presenting the login screen. Are you saying that,
when showing the login page for /APP2, Tomcat will:

a. Place a session identifier in the URL with value X
b. Return a Set-Cookie response header for JSESSIONID with value Y

Where X != Y?

Post by Christopher Schultz
I believe Tomcat prefers the Cookie-based session id to anything
coming-in from the URL, and I do know it will search all
JSESSIONID cookies for any that match a valid session (not just the
first one) in the current application. So logging-in should ...
always work.

Post by Jeffrey Janner
Amazingly, sometimes that goes through and lets the user
login, so my theory is that the browser is sometimes picking
the wrong path. (Also, theory, the "/" cookie is being
generated by a request for "/favicon.ico" just before the
request for the login page.)

You should make sure that anything that doesn't require
authentication specifically mentions that in web.xml, otherwise
you'll get weird things happening like that.

We don't actually use Tomcat container authentication at all.

Okay, that's good information to have. But you do use Tomcat's
session-tracking mechanisms, right?

Post by Christopher Schultz

Post by Jeffrey Janner
So my question is: Is there anything I can do from a
configuration perspective to get it to NOT send the "/"
cookie for APP2?

Not really... other than changing from ROOT to APP1 or whatever.
Overlapping URL spaces for applications leads to tears.

I could do that, though we'd like to keep it so that if no
context is specified we still go to APP1, so the user's don't
have to change all of their bookmarks. Perhaps with a redirect?

That kind of thing is tough to do, but possible. Something like this:

# Ignore requests to /APP1
RewriteCond %{REQUEST_URI} ^/APP1
RewriteRule .* - [L]

# Ignore requests to /APP2
RewriteCond %{REQUEST_URI} ^/APP2
RewriteRule .* - [L]

# Re-write other requests
RewriteRule (.*) /APP1\1 [R,L]

Be very careful with the above: it's completely untested and can put
your clients into a redirect loop if you aren't careful and test all
cases. Also, the [R] flag will do odd things with POST requests, so
either make sure nobody POSTs to one of those URLs or expand the
configuration to properly-handle POSTs.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6fcrAAoJEBzwKT+lPKRY38QP/26NhBIE6C9QodiEfzrWpH2O
7oPAIvCNjBb2uDD/gZI6QEMR7es0FHfk/8N0/DsS6PJTO8UIOQP4QBrorviUxBQv
Xowwv2rBIfARfYXYUdTAzZemnqYLDAV7eTZVYvnGvXvIpb5C7hInq3TTmMC7KKwh
swB2TauBNiLbHRI2TITq51+1c6CBJAp8/sCAA4i/TBkUPJFxareuyhmKNOJKhikK
bmQcbe30jkz/G9uRaft1byS/JCJot84qiuDBuW/N2y3xMZDOW/nvKUyzhaC+YrC+
SzdakkdTQTJRsVnzEhRSb9nz4fV4XdLyeCDrRhFUrVxUOHcq0p/D38Lqy75SnDRT
ip31AEgdmvWy2/aTVu3LtDsYX9nQzo0s070CctZPesTGtO1u31owF6Gp6stmb1Dy
dh2eaFb1mdWlZo4R/8jd+zgmdC3GQXCrup816BqdXqKHlrtXBqSo1OW/1dS/W2Vp
Ldw89FPsa6tVg47t8bO1We2I/kukjqgqVH49CZqRZsaPOER7ycprWTa0ykTaeOxJ
VpQFjsx3U3+/4RRFp7z9daTMjILrH6eFI9qJWM2LvS1DhpNkiS5+eWX1q1sm5WY9
McbfZXb1L3BcLVx8bp0KhsYLc+Yhkbfp/M84mSVVfrlfLMCRNz/ORQa+SYlYlz0x
wcoVjKS0Ir73it0lLVSK
=pTX5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Jeffrey Janner

2015-09-04 20:40:15 UTC

Permalink

-----Original Message-----
Sent: Friday, September 04, 2015 2:55 PM
Subject: Re: Multiple JSESSIONID cookies being presented.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,

Post by Christopher Schultz

-----Original Message----- From: Christopher Schultz
Subject: Re: Multiple JSESSIONID cookies being presented.

Jeffrey,

Post by Jeffrey Janner
I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but
I'm also seeing this on Windows (version doesn't matter),
with Tomcat 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java
7U51.
I have 2 contexts installed in Tomcat, one is ROOT, the
other APP2. Both contexts start off at a login screen unique
to the context and provided by it (not using container
auth).
When I connect to ROOT, no problem, but when I connect to
APP2, I get 2 JSESSIONID cookies, one with the path "/" and
the other with the path "/APP2/".

I would expect this behavior: you have one ROOT app (cookie
path=/) and one APP2 app (cookie path=/APP2). Your browser will
send both cookies to /APP2 because / is a prefix of /APP2.

Post by Jeffrey Janner
On the Windows implementations, we are not seeing a problem,
at least not one being reported.
On the Linux implementation, the end user will occasionally
get immediately kicked out with an invalid session
immediately after providing credentials. The access logs show
a single jsessionid=xxx being provided on the POST URL.

The POST to j_security_check?

So... where does the POST go?

Direct to back-end processing in the app (as far as I know).

Post by Christopher Schultz
Are you using request.encodeURL() to build the <form> action URL,
or are you building it manually?

EncodeUrl. And a check of a couple of sites, both linux and
windows, shows that the jsessionid is being added to the action
by EncodeUrl, regardless of cookie settings. So far, it is always
the APP2 sessionID.

That actually makes sense.

I'm surprised that Tomcat would use the "wrong" session id for
URL-rewriting when presenting the login screen. Are you saying that,
a. Place a session identifier in the URL with value X
b. Return a Set-Cookie response header for JSESSIONID with value Y
Where X != Y?

So far, it looks like it is maintaining an X=Y philosophy.
So that's a non-starter.

Post by Jeffrey Janner
Amazingly, sometimes that goes through and lets the user
login, so my theory is that the browser is sometimes picking
the wrong path. (Also, theory, the "/" cookie is being
generated by a request for "/favicon.ico" just before the
request for the login page.)

You should make sure that anything that doesn't require
authentication specifically mentions that in web.xml, otherwise
you'll get weird things happening like that.

We don't actually use Tomcat container authentication at all.

Okay, that's good information to have. But you do use Tomcat's
session-tracking mechanisms, right?

Yes, and the problem only rears its ugly head on a successful login (app expires old cookie, creates a new one).
User never even sees a new page, just an app-generated "session expired" error.
Trying to see things in access logs, but nothing there I can see.

Post by Christopher Schultz

Post by Jeffrey Janner
So my question is: Is there anything I can do from a
configuration perspective to get it to NOT send the "/"
cookie for APP2?

Not really... other than changing from ROOT to APP1 or whatever.
Overlapping URL spaces for applications leads to tears.

I could do that, though we'd like to keep it so that if no
context is specified we still go to APP1, so the user's don't
have to change all of their bookmarks. Perhaps with a redirect?

# Ignore requests to /APP1
RewriteCond %{REQUEST_URI} ^/APP1
RewriteRule .* - [L]
# Ignore requests to /APP2
RewriteCond %{REQUEST_URI} ^/APP2
RewriteRule .* - [L]
# Re-write other requests
RewriteRule (.*) /APP1\1 [R,L]
Be very careful with the above: it's completely untested and can put
your clients into a redirect loop if you aren't careful and test all
cases. Also, the [R] flag will do odd things with POST requests, so
either make sure nobody POSTs to one of those URLs or expand the
configuration to properly-handle POSTs.

Not fronting with HTTPD, so above isn't helpful.
Thinking a new ROOT with just an index.html that redirects to /APP1 or using something like Tuckey for it.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV6fcrAAoJEBzwKT+lPKRY38QP/26NhBIE6C9QodiEfzrWpH2O
7oPAIvCNjBb2uDD/gZI6QEMR7es0FHfk/8N0/DsS6PJTO8UIOQP4QBrorviUxBQv
Xowwv2rBIfARfYXYUdTAzZemnqYLDAV7eTZVYvnGvXvIpb5C7hInq3TTmMC7KKwh
swB2TauBNiLbHRI2TITq51+1c6CBJAp8/sCAA4i/TBkUPJFxareuyhmKNOJKhikK
bmQcbe30jkz/G9uRaft1byS/JCJot84qiuDBuW/N2y3xMZDOW/nvKUyzhaC+YrC+
SzdakkdTQTJRsVnzEhRSb9nz4fV4XdLyeCDrRhFUrVxUOHcq0p/D38Lqy75SnDRT
ip31AEgdmvWy2/aTVu3LtDsYX9nQzo0s070CctZPesTGtO1u31owF6Gp6stmb1Dy
dh2eaFb1mdWlZo4R/8jd+zgmdC3GQXCrup816BqdXqKHlrtXBqSo1OW/1dS/W2Vp
Ldw89FPsa6tVg47t8bO1We2I/kukjqgqVH49CZqRZsaPOER7ycprWTa0ykTaeOxJ
VpQFjsx3U3+/4RRFp7z9daTMjILrH6eFI9qJWM2LvS1DhpNkiS5+eWX1q1sm5WY9
McbfZXb1L3BcLVx8bp0KhsYLc+Yhkbfp/M84mSVVfrlfLMCRNz/ORQa+SYlYlz0x
wcoVjKS0Ir73it0lLVSK
=pTX5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------

Т��ХF�V�7V'67&�&R�R��âW6W'2�V�7V'67&�&TF��6B�6�R��&pФf�"FF�F��6��G2�R�

Christopher Schultz

2015-09-09 18:48:14 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

Post by Christopher Schultz
I'm surprised that Tomcat would use the "wrong" session id for
URL-rewriting when presenting the login screen. Are you saying
a. Place a session identifier in the URL with value X b. Return a
Set-Cookie response header for JSESSIONID with value Y
Where X != Y?

So far, it looks like it is maintaining an X=Y philosophy. So
that's a non-starter.

Maybe we aren't communicating well: I'd expect to see X = Y *100% of
the time*. The session id for both the URL *and* the cookie should be
the same, otherwise mass confusion would ensue.

Post by Christopher Schultz
But you do use Tomcat's session-tracking mechanisms, right?

Yes, and the problem only rears its ugly head on a successful
login (app expires old cookie, creates a new one).

Usually, Tomcat won't explicitly expire an old JSESSIONID cookie...
just set another one with a new value. The browser should replace the
old value with the new one.

Post by Christopher Schultz

User never even sees a new page, just an app-generated "session
expired" error. Trying to see things in access logs, but nothing
there I can see.

Hmm.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8H7uAAoJEBzwKT+lPKRYf30QAJ6V2G22zeRhRS7pl3rkhk7w
4/de4gpP+HfS/TYdOrLWr/qn26VPM38xjqPTuOvLTTGNfqgTdKhhrpQwEtHA9iSj
9K3oFmoEN7vXxshKjp2Q5bmjKemez1NVX43bwolq8+fTjVSlGZwTZcSA8+n2rJ05
vV5mBT+O4iqdYT1L1zdUj8XGWBS7hDmL9XCJM+08c4Rxajin37J4Xebi1HBAIM5a
WLijOUNAGHnkfDfpipxBgRcPly/wj//D0TdAZRMLqjVBh3DN6Lxhi59IOIiQgOYc
vu7l+GsimC1QI9/qM88JYlOXzJqpncjdYddyiJXdjvs1b7Rqk2QFGNyzE+njtPYK
icatILkejaN4Ic73mZZtHck50uY7vUagoZCAgsi48vMxsNXraFqrsN6NlKVVI3RN
L11+z7+qftoirWKGgTFmADikm/sknYiaezaVRIYLJohADONeQQ0sd9NpR4LQOU1x
87kWL+6rNfhNrnsWlGpm9PiBY4ZhmfpTcgK5iIJG3/2teCpk6sjye0BuVxkgQUPd
cHiTrhZgEVfkroWLTt55pKvIJmpX6BMA0R43UOk6NwTUrc0oKVqnZvkTMxt95b0m
lhHTRGFloCK3vKpz6ebeKowLz0Pc9rRBn6sQAANZgPd67m8XGjUDZ5lNBuz7XH/D
SfggjrqFB4x52K+EDETR
=LgVZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Jeffrey Janner

2015-09-08 13:51:13 UTC

Permalink

-----Original Message-----
Sent: Friday, September 04, 2015 12:46 PM
Subject: Re: Multiple JSESSIONID cookies being presented.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,

I would expect this behavior: you have one ROOT app (cookie path=/)
and one APP2 app (cookie path=/APP2). Your browser will send both
cookies to /APP2 because / is a prefix of /APP2.

Chris -
I wanted to come back to this case.
Why is the above "expected behavior"?
The client is connecting directly as "https://hostname/APP2" and never going directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on first connection. To me, this seems like a bug.
Only being an admin, I've not fully read the spec, so not sure if the above is really expected behavior.
Now, it's been doing this since at least Tomcat 6, I have one running now, and I've never had a problem with it using direct connections. But now we are front-ending with HaProxy and going to two backend tomcats, and using the JSESSIONID to support sticky-sessions. I'm afraid the multiple cookies is confusing HaProxy. (Yes, I'm going to ask that user community.)
Jeff

Т��ХF�V�7V'67&�&R�R��âW6W'2�V�7V'67&�&TF��6B�6�R��&pФf�"FF�F��6��G2�R�

Jose María Zaragoza

2015-09-08 14:08:03 UTC