[Bug 59122] Browser send back to tomcat "likely valid" JSESSIONID but tomcat recreate session and response to browser a renewed JESSIONID

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=59122

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
There is insufficient evidence in this report of a bug in Tomcat. The most
likely explanation is an application bug.

The Tomcat 7 version being used is quite old. I don't recall any session
handling issues but it is worth testing to see if an upgrade resolves the
issue.

There are only things that can trigger a Set-Cookie header. The first is
creation of a new session and the second is the session ID change on
authentication.

Given that the original session expires 30 mins after the new session is
created this isn't a session ID change due to authentication. Therefore, a new
session is being created because the previous session cannot be found.

The Set-Cookie="-" looks very strange.

You'll need to do some more investigation with the application to figure out
what is going wrong. You might want to consider logging the HTTP requets
headers and the stack trace for the session creation. If you need help with
investigating your application, the users@ mailing list is the place to ask,
not Bugzilla.

If the discussion on users@ identifies a Tomcat bug then please feel free to
re-open this issue and provide the details.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org