[undertow-dev] JSESSIONID cookie path empty for root deployments

arjan tijms arjan.tijms at gmail.com
Mon Jun 23 09:16:05 EDT 2014


Hi,

For a root deployment, Undertow by default writes the JSESSIONID cookie
with an empty path. I.e. in the response header the following appears:

SET-COOKIE: JSESSIONID=FhgSh... path=; ...

An empty path causes browsers to set the cookie on whatever path was used
for the request URI. In effect, this causes multiple JSESSIONIDs to be
created while browsing through an app deployed to WildFly, and thus
multiple JSESSIONIDs being posted back when other paths are accessed
(leading to many issues).

The cause of this seems to be in
io.undertow.servlet.spec.ServletContextImpl#ServletContextImpl and
io.undertow.servlet.core.DeploymentManagerImpl#handleDeploymentSessionConfig,
where the cookie path is set to deploymentInfo#getContextPath, which in
both cases returns the empty string.

See:

io.undertow.servlet.spec.ServletContextImpl.ServletContextImpl(ServletContainer,
Deployment)

sessionCookieConfig = new SessionCookieConfigImpl(this);
sessionCookieConfig.setPath(deploymentInfo.getContextPath());

and:

io.undertow.servlet.core.DeploymentManagerImpl.handleDeploymentSessionConfig(DeploymentInfo,
ServletContextImpl)
if(sc.getPath() != null) {
    sessionCookieConfig.setPath(sc.getPath());
} else {
    sessionCookieConfig.setPath(deploymentInfo.getContextPath());
}

I'm not sure if deploymentInfo#getContextPath should indeed return the
empty string for a root deployment or not, but I think setting the cookie
path to the empty string is not really correct and should be "/" in that
case.

Kind regards,
Arjan Tijms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20140623/026ec527/attachment.html 


More information about the undertow-dev mailing list