APOLOGIES FOR TOP POSTING! (see below, were I correctly inline post this apology)
On Mar 1, 2013, at 1:58 PM, Nick Williams wrote: > Browsers send all of the cookies because that's the compliant thing to do. > RFC-2109 [1] says: > >> If multiple cookies satisfy the criteria above, they are ordered in >> the Cookie header such that those with more specific Path attributes >> precede those with less specific. Ordering with respect to other >> attributes (e.g., Domain) is unspecified. > > > Based on that, assuming Tomcat follows the rules Christopher says it does, > you should be okay. The /app/myapplication cookie should always come first, > and assuming it is valid Tomcat should always prefer it. > > Nick > > [1] http://www.ietf.org/rfc/rfc2109.txt My apologies for top posting! I don't normally do that. Slip of the keyboard... > > On Mar 1, 2013, at 1:46 PM, Jose María Zaragoza wrote: > >> Thanks for your answers. >> >> I wonder why browsers don't send only one JSESSIONID >> If I request an URL as www.mydomain.com/app/myapplication/action.do >> and it has got 2 cookies with the same name, one for www.mydomain.com/ >> and another for www.mydomain.com/app/myapplication/ , IMHO, that a >> browser should send the most restrictive >> >> Indeed, I don't know if there is some browser working like that. >> >> >> Christopher, >> if the browser sends a JSESSIONID to Tomcat and this JSESSIONID is not >> tracked by the server , does any error happen ? or is it created a >> new session with a new identifier ? >> >> Thanks and regards >> >> >> >> 2013/2/28 Caldarale, Charles R <chuck.caldar...@unisys.com>: >>>> From: Nick Williams [mailto:nicho...@nicholaswilliams.net] >>>> Subject: Re: Multiple JSESSIONID >>> >>>>> That's interesting. I would recommend a servlet filter that captures >>>>> addCookie and friends to see where that "extra" one is being added. >>> >>>> The two JSESSIONIDs immediately above are in the request, so they're added >>>> by the browser, not the server >>> >>> Unless the browser is part of a hacking attack, the JSESSIONID cookies >>> originally came from the server. The filter would have to be applied to >>> both the ROOT and /app/myapplication contexts, so it might best be placed >>> in conf/web.xml to cover all webapps. >>> >>> - Chuck >>> >>> >>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >>> MATERIAL and is thus for use only by the intended recipient. If you >>> received this in error, please contact the sender and delete the e-mail and >>> its attachments from all computers. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >
smime.p7s
Description: S/MIME cryptographic signature
