You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ch...@emc.com on 2011/10/24 19:33:38 UTC
jsessionid cookie across webapps
As I understand it, sessions are unique to each webapp. However, I see the same jsessionid cookie being used for requests to two different webapps in the same container. Is this correct? Tomcat 5.5.34
Re: jsessionid cookie across webapps
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chad,
On 10/24/2011 1:33 PM, Chad.Davis@emc.com wrote:
> As I understand it, sessions are unique to each webapp. However,
> I see the same jsessionid cookie being used for requests to two
> different webapps in the same container. Is this correct?
You mean that you are seeing the same JSESSIONID cookie being sent
from the client to the server regardless of the app? That usually
happens when you have done one (or more) of the following:
1. Nested one webapp inside another one's URL space
(e.g. webapp1 -> /, webapp2 -> /foo)
2. Modified your configuration to use an empty session cookie path
(which essentially makes the path "/")
All webapps will get this cookie, but only those for which the cookie
is valid will use it. In general, it's no harm for the cookie to be
there in duplicate, but you can confuse the heck out of yourself when
it happens. Tomcat is smart enough to use any valid JSESSIONID cookie
that comes in, so extras are not a big deal.
We had a problem where we were using the session id from an incoming
request to do a loop-back request to a *different webapp*. The webapp
accepting the client request was not configured to use sessions --
just blindly forwarded the session id that came-in with the request to
the other webapp (where the session id was supposed to be valid). In
this case, the ordering of the JSESSIONID cookies was very important
(and cannot be predicted) and had an effect on whether or not the
request would be successfully processed. The solution was to stop
using nested URL spaces and the JSESSIONID overlap disappeared completely.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6ltdYACgkQ9CaO5/Lv0PAX8QCeOq0/ylKLx+s8qfrV8RU2V6Qr
SrYAmwZ6yM2VM1nofa55G1MauQr3ZWAn
=E80b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: jsessionid cookie across webapps
Posted by Ch...@emc.com.
> Read up on the emptySessionPath connector setting in the Tomcat
> configuration guide. This will explain it.
>
Which, for the record, is here:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: jsessionid cookie across webapps
Posted by "Carrillo, Dan" <dc...@idanalytics.com>.
Read up on the emptySessionPath connector setting in the Tomcat configuration guide. This will explain it.
-----Original Message-----
From: Chad.Davis@emc.com [mailto:Chad.Davis@emc.com]
Sent: Monday, October 24, 2011 10:34 AM
To: users@tomcat.apache.org
Subject: jsessionid cookie across webapps
As I understand it, sessions are unique to each webapp. However, I see the same jsessionid cookie being used for requests to two different webapps in the same container. Is this correct? Tomcat 5.5.34
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org