JBoss Web
  1. JBoss Web
  2. JBWEB-214

More than one JSESSIONID cookie headers set in JBoss Web

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved (View Workflow)
    • Priority: Major Major
    • Resolution: Won't Fix Won't Fix
    • Affects Version/s: JBossWeb-2.1.11.GA
    • Fix Version/s: None
    • Component/s: Tomcat
    • Security Level: Public (Everyone can see)
    • Labels:
      None
    • Similar Issues:
      Show 9 results 

      Description

      More than one JSESSIONID cookie headers set if execute following JSP.
      <%
      session.invalidate();
      session = request.getSession();
      session.invalidate();
      session = request.getSession();
      %>

      This issue has been reported from Bug 49158[1] in tomcat.

      [1] Bug 49158 - More than one JSESSIONID cookie headers set
      https://issues.apache.org/bugzilla/show_bug.cgi?id=49158
      http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?r1=944398&r2=944397&pathrev=944398
      http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?r1=944398&r2=944397&pathrev=944398

      I guess that same fix is required in JBoss Web.

        Issue Links

          Activity

          Hide
          Remy Maucherat
          added a comment -

          I have no intention of porting this fix. This should normally not break anything, and I won't add complexity for a cosmetic issue.

          Show
          Remy Maucherat
          added a comment - I have no intention of porting this fix. This should normally not break anything, and I won't add complexity for a cosmetic issue.
          Hide
          Jan Stefl
          added a comment - - edited

          Hi Remy,
          What do you think about following?

          https://issues.apache.org/bugzilla/show_bug.cgi?id=49158#c7

          This is proving to be critical to us (we manually invalidate sessions first time around when we haven't seen them before - to guard against sessions being presented from search engines), and we currently end up in an invalidation loop as the second JSESSIONID is never actually presented back to the browser.

          Show
          Jan Stefl
          added a comment - - edited Hi Remy, What do you think about following? https://issues.apache.org/bugzilla/show_bug.cgi?id=49158#c7 This is proving to be critical to us (we manually invalidate sessions first time around when we haven't seen them before - to guard against sessions being presented from search engines), and we currently end up in an invalidation loop as the second JSESSIONID is never actually presented back to the browser.
          Hide
          Remy Maucherat
          added a comment -

          I think you should enable the session id check if you think you need it.

          Show
          Remy Maucherat
          added a comment - I think you should enable the session id check if you think you need it.
          Hide
          Jan Stefl
          added a comment -

          OK, thanks for answer.
          Would it be possible send a sample of code?

          Show
          Jan Stefl
          added a comment - OK, thanks for answer. Would it be possible send a sample of code?
          Hide
          Remy Maucherat
          added a comment -

          It is the "org.apache.catalina.connector.Request.SESSION_ID_CHECK" system property, set to "true".

          Show
          Remy Maucherat
          added a comment - It is the "org.apache.catalina.connector.Request.SESSION_ID_CHECK" system property, set to "true".
          Hide
          Jan Stefl
          added a comment -

          Thank you Remy,
          I needed some clarification before I close the JBPAPP-7428.

          Show
          Jan Stefl
          added a comment - Thank you Remy, I needed some clarification before I close the JBPAPP-7428 .

            People

            • Assignee:
              Remy Maucherat
              Reporter:
              Eiichi Nagai
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: