Uploaded image for project: 'JBoss Web'
  1. JBoss Web
  2. JBWEB-214

More than one JSESSIONID cookie headers set in JBoss Web

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: JBossWeb-2.1.11.GA
    • Fix Version/s: None
    • Component/s: Tomcat
    • Labels:
      None

      Description

      More than one JSESSIONID cookie headers set if execute following JSP.
      <%
      session.invalidate();
      session = request.getSession();
      session.invalidate();
      session = request.getSession();
      %>

      This issue has been reported from Bug 49158[1] in tomcat.

      [1] Bug 49158 - More than one JSESSIONID cookie headers set
      https://issues.apache.org/bugzilla/show_bug.cgi?id=49158
      http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?r1=944398&r2=944397&pathrev=944398
      http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?r1=944398&r2=944397&pathrev=944398

      I guess that same fix is required in JBoss Web.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            rmaucher Remy Maucherat added a comment -

            I have no intention of porting this fix. This should normally not break anything, and I won't add complexity for a cosmetic issue.

            Show
            rmaucher Remy Maucherat added a comment - I have no intention of porting this fix. This should normally not break anything, and I won't add complexity for a cosmetic issue.
            Hide
            jstefl Jan Stefl added a comment - - edited

            Hi Remy,
            What do you think about following?

            https://issues.apache.org/bugzilla/show_bug.cgi?id=49158#c7

            This is proving to be critical to us (we manually invalidate sessions first time around when we haven't seen them before - to guard against sessions being presented from search engines), and we currently end up in an invalidation loop as the second JSESSIONID is never actually presented back to the browser.

            Show
            jstefl Jan Stefl added a comment - - edited Hi Remy, What do you think about following? https://issues.apache.org/bugzilla/show_bug.cgi?id=49158#c7 This is proving to be critical to us (we manually invalidate sessions first time around when we haven't seen them before - to guard against sessions being presented from search engines), and we currently end up in an invalidation loop as the second JSESSIONID is never actually presented back to the browser.
            Hide
            rmaucher Remy Maucherat added a comment -

            I think you should enable the session id check if you think you need it.

            Show
            rmaucher Remy Maucherat added a comment - I think you should enable the session id check if you think you need it.
            Hide
            jstefl Jan Stefl added a comment -

            OK, thanks for answer.
            Would it be possible send a sample of code?

            Show
            jstefl Jan Stefl added a comment - OK, thanks for answer. Would it be possible send a sample of code?
            Hide
            rmaucher Remy Maucherat added a comment -

            It is the "org.apache.catalina.connector.Request.SESSION_ID_CHECK" system property, set to "true".

            Show
            rmaucher Remy Maucherat added a comment - It is the "org.apache.catalina.connector.Request.SESSION_ID_CHECK" system property, set to "true".
            Hide
            jstefl Jan Stefl added a comment -

            Thank you Remy,
            I needed some clarification before I close the JBPAPP-7428.

            Show
            jstefl Jan Stefl added a comment - Thank you Remy, I needed some clarification before I close the JBPAPP-7428 .

              People

              • Assignee:
                rmaucher Remy Maucherat
                Reporter:
                enagai Eiichi Nagai
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development