This text is based on a stackoverflow question I posted earlier today: https://stackoverflow.com/questions/48600576/jsessionid-as-path-parameter-not-working-in-tomcat/48602272
I'm using Tomcat 7.0.84, and my web app uses the Servlet 3.0 deployment descriptor. The web.xml file contains this: <session-config> <cookie-config> <name>JSESSIONID</name> <http-only>false</http-only> </cookie-config> <tracking-mode>URL</tracking-mode> <tracking-mode>COOKIE</tracking-mode> </session-config> I have a desktop application that logs into the web app and establishes a session. In response to a user action, it invokes a URL in a browser. Since I want the browser to be logged in with the same session, I append the jsessionid path parameter like this: http://server/contextroot/path/;jsessionid=8BDF744802E7850D5AA4AB6535163504 I close my browser completely so when the URL is spawned, no previous session cookies will be sent. (My default browser is chrome, and I verify this is the case.) I also verify in code that the URL tracking mode is enabled, by logging the return value of ServletContext.getEffectiveSessionTrackingModes. What I'm expecting is the browser request to automatically get the session indicated by the ;jsessionid parameter, but it is not happening. Each time Tomcat includes a new session cookie in its response. What DOES work, and what I suspect does not comply with the servlet 3.0 spec, is either of these workarounds: 1. In web.xml, change the name of the session cookie from JSESSIONID to jsessionid2. In the URL, change the name of the path parameter from jsessionid to JSESSIONID. Section 7.1.3 of the Servlet 3.0 spec contains this text: The session ID must be encoded as a path parameter in the URL string. The name of the parameter must be jsessionid. Here is an example of a URL containing encoded path information: http://www.myserver.com/catalog/index.html;jsessionid=1234 It does not provide at all for configuring a name for the path parameter used to pass in the session ID. It says explicitly, "The name of the parameter must be jsessionid." But in org/apache/catalina/util/SessionConfig.java, this code is used to get the name of the session parameter: private static final String DEFAULT_SESSION_PARAMETER_NAME = "jsessionid"; ... /** * Determine the name to use for the session cookie for the provided * context. * @param context */ public static String getSessionUriParamName(Context context) { String result = getConfiguredSessionCookieName(context); if (result == null) { result = DEFAULT_SESSION_PARAMETER_NAME; } return result; } I included the Javadoc because it seems to indicate this method was originally copy/pasted and then modified. The logic is, if there is a name configured for the session cookie, use the same name for the session path parameter, otherwise use jsessionid. So, can anyone tell me if my suspicion that this is non-compliant (and hence, a bug) correct?
