-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan,
On 8/12/2011 3:02 PM, Jonathan Rosenberg wrote: > Mystery solved, I think. > > I did a little more digging around & discovered that my cookie had > two JSESSIONID values. I didn't even know this was possible. Yep, cookies can have multiple values. You aren't doing this, but you can get two separate JSESSIONID cookies if you have one context nested inside the other. The paths are different, but one of them is a prefix of the other, so the nested context gets both cookies. You can confuse the hell out of yourself doing that (we did!) and it's best to avoid those situations. Tomcat is actually (thankfully!) tolerant of multiple JSESSIONID values: if there are many JSESSIONID cookies in the request, Tomcat loops through all of them to see if *any* are valid. The first valid one gets used (though there is no guarantee of the order in which they are tested). If none are valid (last time I read the code), it tries to use the last JSESSIONID requested as the new session id. I think that's probably not true anymore due to the (semi-) recent changes to session id management to help mitigate session hijacking and other nasty things. So, the JSESSIONID you were seeing probably had a path that wasn't the same as the webapp you are playing with, and that was the one you were looking at. Tomcat was ignoring it because it wasn't valid but you really had no way to tell without more invasive testing. > Neither of the values matched Tomcat's session id & the browser was > unable to update the cookie's JSESSIONID properly (no surprise). > > I deleted this rogue cookie & all apears to be working as expected. Glad you got your problem solved. > Lots of moving parts ... Yes. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5FkeUACgkQ9CaO5/Lv0PDT8ACbB/xEPsuxUv7paL87K9CUTLh5 Dr4AoIinSVA1oxVL5Hp+FQzelhloByAh =sGxB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org