> Markus Reis wrote: > >>> Our Tomcat 5.5 sends 30 cookie > >>> (cookie=JSESSIONID=2D79FB71207A83A09B32677B9640693E.jbprod; > >>> domain=null; path=/) > >> Are they all identical? > > > > No. They are ALL different (and they also differ from response to > response) > > > >>> and 900 Set-Cookie > >>> (header=Set-Cookie=JSESSIONID=2D79FB71207A83A09B32677B9640693E.jbprod; > >>> Path=/; Secure) headers in the http response header back to the > >>> external clients (during the initial http request/response). > >> Same here: identical? > > > > No. Each of the 30 DIFFERENT session id's from above are repeated thirty > times. > > > >>> The 900 Set-Cookie headers contain each "cookie" JSESSIONID thirty > >>> times. > >> That is crazy! How are you observing this behavior? > LiveHTTPHeaders/http > >> protocol sniffer? Wireshark/packet sniffer? > > > > Yes it is crazy - I observed this using > org.apache.catalina.valves.RequestDumperValve in my server.xml > > > >>> If I submit the same request from my machine I get a only/as expected > >>> one cookie and one Set-Cookie header back in the initial response. > >> Er... what do you mean "from my machine"? What are you using when you > >> get 900 Set-Cookie headers? > > > > "My machine" is my PC at work. The requests where a repsonse with 900 > SetCookie headers is returned, are sent from PC's of our partners, which > operate in one single network (and thus all have the same IP, which is the IP > of the partner network's proxy server). If I use some other PC connected to > the internet I have the same expected behaviour as from my PC at work. So > those responses are only/exclusively produced for requests coming from PC's > of our partners. > > > > markus > Old African proverb : he who wants to eat an elephant, should do it a > little bit at a time. > > I am not basing the following on any deep knowledge of Tomcat, just > trying to use the logical cues from what you said so far and the way > HTTP servers and browsers normally react. > > 1) How do you *precisely* know that Tomcat is actually sending 900 > Set-Cookie Headers ? does the RequestDumperValve also dump the response > ? or is that what you see in the client browser ? > In other words, are you really sure that it is Tomcat who is sending all > these Set-Cookie headers, or could it be the customer's proxy > adding/multiplying them ? (Not that I would know how it could do that, > but that's another matter)
Yes, the RequestDumperValve also dumps the response - therefore I'm SURE that it is Tomcat that sends the 900 Set-Cookie headers and no other network component between client and server. > 2) The client browser gets 900 Set-Cookie headers, of which the basic > set of different ones is 30, each multiplied 30 times. > So the client browser ends up with 30 cookies set ? > Or just one, in the end ? The client sends only one cookie in the following requests (this cookie is the last one in the list of Set-Cookie headers). All those requests only have this one/single cookie in their requests (and responses). > > 3) Does this number 30 relate in some way to how many separate stations > at your customer access your Tomcat server ? > For example, assuming that there would be a way to "reset everything", > and then turn on a single customer station, and access your Tomcat > server once, how many Set-cookies would that one browser get in return ? > And then, what if a second station now sends a request ? > I have no idea how many separate clients/workstations are accessing our Tomcat (due to the partner network's proxy) - it could be thirty, but still: How should Tomcat know about that? I also have no possibility to go (physically) to our partner and try something out. Further I found out that this happens only with an initial POST request - if I do the same via GET only one Set-Cookie header is returned (I wrote before that I was not able to reproduce those 900 Set-Cookie headers on my PC, but that was due to the fact that I sent the request as a GET - If I send the same data via a POST request I also get ~900 Set-Cookie headers, with the only difference that all of them always contain the exactly same JSESSIONID). -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: http://www.gmx.net/de/go/promail --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]