Re: How does one control what the path is on the JSESSIONID cookie?

Wed, 24 Jun 2009 07:28:20 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John,

On 6/23/2009 5:04 PM, John Caron wrote:
> Pid wrote:
>> Filip Hanik - Dev Lists wrote:
>>  
>>> John Caron wrote:
>>>    
>>>> Tomcat 6.0.18 automatically adds the session cookie like:
>>>>
>>>>  Set-Cookie: JSESSIONID=6D839FF3B960947CC6FD41B98CD02E0D; Path=/thredds
>>>>
>>>> How can I change the path part of the cookie?
>>>>       
>>> the only thing you can do is set it to empty, by using emptySessionPath.
>>>     
>>
>> Or you could change the name of your application.  That's unlikely to be
>> helpful though.
>>
>> Why does it matter?
>>
>> p
>>   
> The client may have more than one session, which must be distinguished
> by the path, eg i need:
> 
> Set-Cookie: JSESSIONID=6D839FF3B960947CC6FD41B98CD02E0D; Path=/thredds/p1

Multiple cookies is not a problem. If Tomcat receives multiple
JSESSIONID cookies with a request, it will try all of them until it gets
a match for the webapp being used to serve the request.

That said, having overlapping webapp URL spaces is asking for trouble.

> A previous post had this filter, which im guessing i can modify :
> 
> /**
> * This class will set the cookie maxAge to match the session timeout
> value. That way, a user who closes their browser and
> * re-enters the site will still have the same session if it has not
> timed out on the server.
> */

This filter was written for a very different purpose.

>            HttpSession session = httpRequest.getSession();

Note that this filter creates sessions when when one is not necessary.

>                httpResponse.addCookie( sessionCookie ); //FIX! This
> doesn't actually get rid of the other cookie, but it seems to work OK

This comment is telling: yes, the old cookie is not removed, and it
really should be. A better solution would be to write a Valve that wraps
the response to intercepts addCookie calls and re-write the maxage when
the cookie is added.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpCN+IACgkQ9CaO5/Lv0PBK5gCeJZQL7x8vEFN2YVNV0+t6OyQM
4SAAn0kB0vy6t5HzJtsmVnhq6BchLqgb
=Xwwz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to