DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | ------- Additional Comments From [EMAIL PROTECTED] 2003-03-21 20:15 ------- Yes, this is a BUG, and it seems that it is a serious bug, because probably at 1% of sessions are lost with IE, when the session for some circumstances is invalidated but cookie is left non-expired, and after that the new session is generated and IE(6 and 5 for me) _ALWAYS_ sends two cookies JSESSIONID; but the first cookie is for invalid session, so tomcat treats that the session is new, although the second cookie contains the actual session id. Also, I have read in Netscape Standard for Cookies (http://wp.netscape.com/newsref/std/cookie_spec.html for your reference): ---------- Instances of the same path and name will overwrite each other, with the latest instance taking precedence. Instances of the same path but different names will add additional mappings. ---------- Well, I suppose this document is pretty old, but nor later RFCs (2109,2965) nor Servlet 2.3 Specification does not contain any information about cookie priority, so it is a good thing to think about. And I am very frustrated that this bug remains NEW for about a year - isn't it a buglist?? Yes, I know that Mr.Maucherat in a similar bug 10419 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419) resolved this as WONTFIX, saying that he doesn't see any real use cases. Please, reconsider about this or at least say something. Cinecerly, Peter. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
