I took a look using the LiveHttpHeaders Chrome extension. It's very simple. Tomcat 8.0.33 is setting the Set-Cookie header in the response, and Tomcat 8.5.4 is not setting the Set-Cookie header in the response.
Ignore what I originally wrote about the distinction between the main domains (domain1.com and domain2.com) and the subdomain (sub.domain3.com). The domains and subdomains are not actually relevant to the problem. What was going on was that I had pre-existing cookies on domain1.com and domain2.com but no pre-existing cookie on sub.domain3.com. On Sun, Aug 28, 2016 at 6:10 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mike, > > On 8/27/16 8:44 PM, Mike Wertheim wrote: > > I've found a difference in behavior between Tomcat 8.0.33 and > > Tomcat 8.5.4. > > > > Here's the setup... > > > > I have some Tomcat servers behind an F5 load balancer. There are > > two top-level domains (which I'll call domain1.com > > <http://domain1.com> and domain2.com <http://domain2.com>) pointing > > to the load balancer. In addition, there is a separate server > > running PHP. There is a top-level domain (which I'll call > > domain3.com <http://domain3.com>) that points to the PHP server. > > So www.domain3.com <http://www.domain3.com> goes to the PHP server. > > But we use DNS to point a subdomain of domain3.com > > <http://domain3.com> (let's call it sub.domain3.com > > <http://sub.domain3.com>) which points to the Tomcat servers via > > the load balancer. > > > > The Java app that's running on Tomcat sets some cookies. The > > cookie's domain is set by doing something like > > cookie.setDomain(domain), where "domain" is based on the value of > > request.getServerName(). > > > > The bug that Tomcat 8.5.4 exhibits is: Chrome and Safari refuse to > > set the cookie when the site is accessed via > > http://sub.domain3.com. > > > > The cookies work fine in each of the following scenarios: - It > > works fine when the Tomcat version is 8.0.33 - It works fine with > > Firefox - It works fine when the site is accessed by either > > domain1.com <http://domain1.com> or domain2.com > > <http://domain2.com> > > > > The failure only happens with the combination of: Tomcat 8.5.4, > > the browser is Chrome or Safari, and the site is accessed via > > http://sub.domain3.com. > > > > This all happens using regular (non-SSL) http. > > > > I've attached server.xml and context.xml. > > Can you take a protocol-capture of the Set-Cookie response header in > each case? Use something like Fiddler, FireBug, LiveHttpHeaders, etc. > or even Wireshark to see what's being sent. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJXw4twAAoJEBzwKT+lPKRYAFgQAL82b2Fe0WA+41ITaPybsZLV > NqYn44rx3LAv3L1Bd2wFhSmHY43mWkA5POpGbPPHQP8/BNzpmLoyryeQ6q1aQwP/ > YLjh3Dl5K5adba9Q+LuTe4Kv7uhqb0eEMlLCXVkBCGDPeaT55Z2NVoGGhqVyXRBz > eEVkz0YvT9VFXKB2zSJBTGP5LP19gXgKMnJ1QXGhcl2nnIOR1eIGVWVEqecOsCgk > /3gO3ZU3Nq002Sh6eH6c1xVoq75ZgmFQXqOvst/qWTJknMM4qjvdOGPg8Oy4caSN > nZcSU2Xq6EiypGNK1ikDqcnyARTNxKCs0UvKfiOaUbW3U1TtzdbhcClAPvvaHTPr > 5cHv+3L4I6a2zeFp3IaFomQaSX6YliSBWe4hYS3czCnvaWFtb789aQbxtDG6OtF3 > WNgxG3daQKTeGH2yPV0qLek+SmcQwvD725eIUKjzyucXKBPERQTSdRSGudL2pB8i > 2COcwjBXh449tcEl8+7E4DqbXdDq9T+XjpvBnltRA6rbqBw2Baz6EUCLhaAv4DDR > BVMNXFCFZ1PYPfJgpUtQPr0fT5E3xLIMD352laPTdn6Fx4zL+O5dKf9daruFH0z7 > 9X1qZiKb4vyHzemBMH5H99be7mGa1wsRa45ek5rlUyYSC4kTXXDkQMYEa9LPlkZU > vmvpJi9g4lXkqOUALpqf > =OSu4 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
