David Cotter wrote:
This turns out to be because I call session.invalidate() and then request.getSession(true). I don't have to do this so it's fine. Don't know if two JSESSIONIDs is valid behaviour.
In the case of the sample quoted the new one will just overwrite it. There are a few minor problems with cookie handling in TC, seeing two cookies for the same value is one I've seen before (and there is no API call to ask for a list of currently set cookies in the response, I can only ask what I was given in the request, Duh!).
Invalidating the session should setup the cookie to expire/delete the current value, the session object maybe live during the request but after the request has been processed its destroys.
It should be valid to call getSession(true) afterwards (within the same request) and you should be guaranteed a brand new JSESSIONID. This would be a very common way of writing a web-app and conceptually there isn't any technical reason why you can't allocate and invalidate multiple times within the same request. But maybe the specs have something to say about the matter as I've seen the issue raised as an unexpected thorn before.
<HTTP-raw> Set-Cookie: JSESSIONID=C90DF7930FFFFE158150140E41FB2FAC; Path=/globalen <HTTP-raw> Set-Cookie: tbs_identity=88881043786:3032; Expires=Sun, 01-Oct-2006 15:51:23 GMT; Path=/globalen <HTTP-raw> Set-Cookie: JSESSIONID=F974FDF3E26ACF12203F9F2C190735DA; Path=/globalen
Darryl --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
