2015-09-08 15:51 GMT+02:00 Jeffrey Janner <jeffrey.jan...@polydyne.com>: >> -----Original Message----- >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >> Sent: Friday, September 04, 2015 12:46 PM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: Multiple JSESSIONID cookies being presented. >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Jeffrey, >> >> On 9/4/15 12:37 PM, Jeffrey Janner wrote: >> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm >> > also seeing this on Windows (version doesn't matter), with Tomcat >> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51. >> > >> > I have 2 contexts installed in Tomcat, one is ROOT, the other >> > APP2. Both contexts start off at a login screen unique to the >> > context and provided by it (not using container auth). >> > >> > When I connect to ROOT, no problem, but when I connect to APP2, I >> > get 2 JSESSIONID cookies, one with the path "/" and the other with >> > the path "/APP2/". >> >> I would expect this behavior: you have one ROOT app (cookie path=/) >> and one APP2 app (cookie path=/APP2). Your browser will send both >> cookies to /APP2 because / is a prefix of /APP2. >> > Chris - > I wanted to come back to this case. > Why is the above "expected behavior"? > The client is connecting directly as "https://hostname/APP2"; and never going > directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on first > connection. To me, this seems like a bug. > Only being an admin, I've not fully read the spec, so not sure if the above > is really expected behavior.
http://www.ietf.org/rfc/rfc2109.txt The following rules apply to choosing applicable cookie-values from among all the cookies the user agent has. Domain Selection The origin server's fully-qualified host name must domain-match the Domain attribute of the cookie. Path Selection The Path attribute of the cookie must match a prefix of the request-URI. Max-Age Selection Cookies that have expired should have been discarded and thus are not forwarded to an origin server. If multiple cookies satisfy the criteria above, they are ordered in the Cookie header such that those with more specific Path attributes precede those with less specific. Ordering with respect to other attributes (e.g., Domain) is unspecified. > Now, it's been doing this since at least Tomcat 6, I have one running now, > and I've never had a problem with it using direct connections. But now we > are front-ending with HaProxy and going to two backend tomcats, and using the > JSESSIONID to support sticky-sessions. I'm afraid the multiple cookies is > confusing HaProxy. (Yes, I'm going to ask that user community.) > Jeff > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
