DO NOT REPLY [Bug 50633] New: Stale cookie value obtained with getCookies() after login/logout/login

Fri, 21 Jan 2011 19:07:12 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=50633

           Summary: Stale cookie value obtained with getCookies() after
                    login/logout/login
           Product: Tomcat 6
           Version: 6.0.30
          Platform: Macintosh
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Created an attachment (id=26532)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26532)
WAR to reproduce the issue

I attach a simple WAR file to illustrate this. To reproduce, follow these
steps. Obviously the cookie ids etc. will be different for you.

- deploy attached cookie-bug.war
- delete JSESSIONID browser cookie for localhost

First round:

- go to http://localhost:8080/cookie-bug/do.jsp
  - no Cookie header is sent by the browser
  - Tomcat forwards to login.jsp
  - Set-Cookie:JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234; Path=/cookie-bug
- enter "tomcat" as password and press Login
- this POSTs to j_security_check
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
- do.jsp: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
  - JSP displays
    - requested: 8E5BD8A089735AEAAC1477F7F2C9A234
    - session id: 8E5BD8A089735AEAAC1477F7F2C9A234
    - cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
- click on logout
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
- you are back to do.jsp
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
  - forwards to login.jsp
  - Set-Cookie: JSESSIONID=A591F1194A99A1AA6CBDAE7511F0BF57; Path=/cookie-bug

So far so good! Now the second round:

- enter "tomcat" as password and press Login
- this POSTs to j_security_check
  - Cookie: JSESSIONID=A591F1194A99A1AA6CBDAE7511F0BF57
- do.jsp:
  - Cookie: JSESSIONID=A591F1194A99A1AA6CBDAE7511F0BF57
  - displays
    - requested: A591F1194A99A1AA6CBDAE7511F0BF57
    - session id: A591F1194A99A1AA6CBDAE7511F0BF57
    - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234 => how is this
possible?

Everything is fine *except* the Cookie value comes from nowhere!

It looks like there is a stale cookie that somehow got reused.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to