On Feb 28, 2013, at 10:50 AM, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Jose, > > On 2/28/13 2:43 AM, Jose María Zaragoza wrote: >> I've seen in my web browser that it has got 2 JSESSIONID for the >> same domain at the same time >> >> >> JSESSIONID: xxxxxxxxxxxxx www.mydomain.com / >> >> and >> >> JSESSIONID: yyyyyyyyyyyy www.mydomain.com /app/myapplication/ > > You might want to instrument your web application to find our why you > are getting JSESSIONIDs with different paths. Do you have a ROOT > webapp that can generate sessions? Perhaps you have JSPs in your ROOT > webapp that don't have session="false" in its header? > >> Cheking request to my Tomcat server, I see >> >> POST /app/myaplication/action/play.do >> >> Cookie: DWRSESSIONID=F71Wlww0mrwuExOQoE3aLslewQj; >> JSESSIONID=xxxxxxxxxxxxxxxxxxxxx; >> JSESSIONID=yyyyyyyyyyyyyyyyyyyyyyyyyy; > > That's interesting. I would recommend a servlet filter that captures > addCookie and friends to see where that "extra" one is being added.
The two JSESSIONIDs immediately above are in the request, so they're added by the browser, not the server, so a filter wouldn't do you any good there. He could, however, put a filter on the ROOT web application (assuming he has enough control over it to do so) to figure out what is creating the session in the ROOT application. Chris, you may have known that and meant something different, and if so, my apologies for misunderstanding. > >> How does Tomcat server handle this situation ? I'm talking about >> session managing Does it read the first JSESSIONID ? Does it read >> every JSESSIONID ? Can this cause problems ? > > Tomcat will read session ids until it finds one that is valid: having > multiple JSESSIONID cookies is not a problem unless *both* are valid > for some reason. In that case, I suspect you'll get the first (that > is, the one that occurs first in the HTTP request) JSESSIONID and the > other one will essentially be ignored. > >> I know I can rename JSESSIONID when it's serve by my Tomcat >> server, but I want to be sure that I need to do that > > You probably don't need to do that. Need, not absolutely, no. However, changing the name of the session cookie in the deployment descriptor of the /app/myapplication app WOULD eliminate any conflict between the two sessions for sure, and if it is valid that both the /app/myapplication application and the ROOT (/) application are creating sessions, that might be the safest thing to do. Nick > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEAREIAAYFAlEvitoACgkQ9CaO5/Lv0PDBGACfby+4zBL7VYhC8vgLu3VE93ZJ > wG8AmgL2DerJA9o+BL8t7aV9rgZGl4fH > =qVg7 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
smime.p7s
Description: S/MIME cryptographic signature
