> -----Original Message-----
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Friday, September 04, 2015 12:46 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: Multiple JSESSIONID cookies being presented.
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jeffrey,
>
> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
> > also seeing this on Windows (version doesn't matter), with Tomcat
> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> >
> > I have 2 contexts installed in Tomcat, one is ROOT, the other
> > APP2. Both contexts start off at a login screen unique to the
> > context and provided by it (not using container auth).
> >
> > When I connect to ROOT, no problem, but when I connect to APP2, I
> > get 2 JSESSIONID cookies, one with the path "/" and the other with
> > the path "/APP2/".
>
> I would expect this behavior: you have one ROOT app (cookie path=/)
> and one APP2 app (cookie path=/APP2). Your browser will send both
> cookies to /APP2 because / is a prefix of /APP2.
>
Chris -
I wanted to come back to this case.
Why is the above "expected behavior"?
The client is connecting directly as "https://hostname/APP2"; and never going
directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on first
connection. To me, this seems like a bug.
Only being an admin, I've not fully read the spec, so not sure if the above is
really expected behavior.
Now, it's been doing this since at least Tomcat 6, I have one running now, and
I've never had a problem with it using direct connections. But now we are
front-ending with HaProxy and going to two backend tomcats, and using the
JSESSIONID to support sticky-sessions. I'm afraid the multiple cookies is
confusing HaProxy. (Yes, I'm going to ask that user community.)
Jeff
