Thanks for your answers. I wonder why browsers don't send only one JSESSIONID If I request an URL as www.mydomain.com/app/myapplication/action.do and it has got 2 cookies with the same name, one for www.mydomain.com/ and another for www.mydomain.com/app/myapplication/ , IMHO, that a browser should send the most restrictive
Indeed, I don't know if there is some browser working like that. Christopher, if the browser sends a JSESSIONID to Tomcat and this JSESSIONID is not tracked by the server , does any error happen ? or is it created a new session with a new identifier ? Thanks and regards 2013/2/28 Caldarale, Charles R <chuck.caldar...@unisys.com>: >> From: Nick Williams [mailto:nicho...@nicholaswilliams.net] >> Subject: Re: Multiple JSESSIONID > >> > That's interesting. I would recommend a servlet filter that captures >> > addCookie and friends to see where that "extra" one is being added. > >> The two JSESSIONIDs immediately above are in the request, so they're added >> by the browser, not the server > > Unless the browser is part of a hacking attack, the JSESSIONID cookies > originally came from the server. The filter would have to be applied to both > the ROOT and /app/myapplication contexts, so it might best be placed in > conf/web.xml to cover all webapps. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org