Mark, Thanks for the comments. Yes, LegacCookieProcessor gets invoked in my case, not the default Rfc6265CookieProcessor as documented at Tomcat 9 Cookie Processor Component ( https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html). I enabled debugging for a few components:
- "org.apache.catalina.connector" - "org.apache.catalina.valves" - "org.apache.catalina.valves" - "org.apache.catalina.realm" - "org.apache.tomcat.util.http" I could see that the cookie in the request to web app #2 only contains JSESSIONID, not other cookies that are added in the response from web app #1 after successful authentication. When the parameter STRICT_SERVLET_COMPLIANCE is false (default), other cookies in the response from web app #1 are present in requests to other web apps. I wonder whether the browser clients behave differently because the cookie path "/" was double-quoted like "\"/\""?! If the possible cause is on the client side (browsers), I am not sure if there is anything I can do about it on the server side. Again, thanks for your help and any further comment is very appreciated. Thanks a lot in advance. Regards, Wenshiuan Tang
