Hi Oleg, > Think of session cookies. Most of browsers do not include the path > attribute when sending cookies to the server. If the scheme you > are suggesting were correct a servlet engine would not be able to > distinguish session ids of individual web applications
That is correct. All web applications use the same session ID. They keep different session objects in memory, so their data remains separate. What ID is used does not really matter. > Please do take a look at the Netscape draft: > > path=PATH > The path attribute is used to specify the subset of URLs in a > domain for which the cookie is valid. If a cookie has already > passed domain matching, then the pathname component of the URL is > compared with the path attribute, and if there is a match, the > cookie is considered valid and is sent along with the URL request. > The path "/foo" would match "/foobar" and "/foo/bar.html". The path > "/" is the most general path. > > RFC 2109 meant to say pretty much the same Yes, that's for selecting those cookies that get sent back from the client to the server. Here, I fully agree with you. A cookie for /app1 is sent only to /app1/*. But I still say that the cookie can have been set by /app1/screens/login.jsp in the first place. > I have no problem with being proven wrong. I can err as any mortal human. Since we cannot agree on a common interpretation of the RFC, I doubt either of us can prove the other wrong :-) Referring to the implementation, the last check in method validate(...) of CookieSpecBase does not match your interpretation, does it? http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java?view=markup cheers, Roland
