Dan Smith created GEODE-3812:
--------------------------------
Summary: Stop using JSESSIONID cookie in session module
Key: GEODE-3812
URL: https://issues.apache.org/jira/browse/GEODE-3812
Project: Geode
Issue Type: Bug
Components: http session
Reporter: Dan Smith
The session module for generic Application servers sets the JSESSIONID cookie
in SessionCachingFilter.addSessionCookie.
The application server also sets the JSESSIONID cookie, as specified by the
java servlet spec.
It's somewhat undefined what the container will do in this case. It looks like
depending on the version of Jetty, it will either keep geode's JSESSIONID or it
will put both cookies in the response, with the geode one coming last.
Technically that is against RFC 6265, which says "Servers SHOULD NOT include
more than one Set-Cookie header field in the same response with the same
cookie-name." However it looks like browsers will tend to keep the last session
cookie so things aren't failing at the moment.
We should stop using the same cookie name as the container to avoid this
conflict.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
