You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Paul Singleton <pa...@jbgb.com> on 2008/01/03 13:49:06 UTC

session id cookies

If I set

    <Context cookies="false" ... >

will Tomcat ignore any JSESSIONID cookie which
accompanies a request?  Should it?

Paul Singleton

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: session id cookies

Posted by Paul Singleton <pa...@jbgb.com>.

Bill Barker wrote:
> "Paul Singleton" <pa...@jbgb.com> wrote in message 
> news:477CD9C2.3030007@jbgb.com...
>> If I set
>>
>>    <Context cookies="false" ... >
>>
>> will Tomcat ignore any JSESSIONID cookie which
>> accompanies a request?  Should it?
>>
> 
> With any of the released versions, it won't ignore the cookie if the browser 
> sends one.  There is a patch in the SVN that causes at least TC 6 to ignore 
> the cookie, but it seems to be buggy.  More info at 
> http://issues.apache.org/bugzilla/show_bug.cgi?id=43839.
> 
> As to "should", IMHO the cookies="false" should be more of a hint (like in 
> the released versions of Tomcat), but I'm in the minority here.

Thanks for the info.  We were experimenting with a wholly
URL-encoding version of an app (this appeals for various
reasons) but on switching between them, found that a left-
-over session cookie broke the "no cookies" version.

Given the long-established, disputed behaviour of the
"cookies" attribute, we'd be happy with an additional
"cookiesIgnore" attribute (and no change to "cookies")

Paul S.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: session id cookies

Posted by Bill Barker <wb...@wilshire.com>.

"Paul Singleton" <pa...@jbgb.com> wrote in message 
news:477CD9C2.3030007@jbgb.com...
> If I set
>
>    <Context cookies="false" ... >
>
> will Tomcat ignore any JSESSIONID cookie which
> accompanies a request?  Should it?
>

With any of the released versions, it won't ignore the cookie if the browser 
sends one.  There is a patch in the SVN that causes at least TC 6 to ignore 
the cookie, but it seems to be buggy.  More info at 
http://issues.apache.org/bugzilla/show_bug.cgi?id=43839.

As to "should", IMHO the cookies="false" should be more of a hint (like in 
the released versions of Tomcat), but I'm in the minority here.


> Paul Singleton
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org