[undertow-dev] JSESSIONID cookie path empty for root deployments

arjan tijms arjan.tijms at gmail.com
Thu Nov 27 08:31:19 EST 2014 

Hi,

On Tue, Jun 24, 2014 at 12:14 PM, Tomaž Cerar <tomaz.cerar at gmail.com> wrote:
> I think this might be fixed in master, at least this commit
> https://github.com/wildfly/wildfly/commit/fe642cd253dc91febed2f763a48853aa200a1bd5
> was changing this exact behavior.
>
> can you try with wildfly master if it is still the same?

Sorry, never replied to this, but it was indeed fixed in master (and
now in Undertow 1.1.0 final as well).

Kind regards,
Arjan



>
> --
> tomaz
>
>
> On Mon, Jun 23, 2014 at 3:16 PM, arjan tijms <arjan.tijms at gmail.com> wrote:
>>
>> Hi,
>>
>> For a root deployment, Undertow by default writes the JSESSIONID cookie
>> with an empty path. I.e. in the response header the following appears:
>>
>> SET-COOKIE: JSESSIONID=FhgSh... path=; ...
>>
>> An empty path causes browsers to set the cookie on whatever path was used
>> for the request URI. In effect, this causes multiple JSESSIONIDs to be
>> created while browsing through an app deployed to WildFly, and thus multiple
>> JSESSIONIDs being posted back when other paths are accessed (leading to many
>> issues).
>>
>> The cause of this seems to be in
>> io.undertow.servlet.spec.ServletContextImpl#ServletContextImpl and
>> io.undertow.servlet.core.DeploymentManagerImpl#handleDeploymentSessionConfig,
>> where the cookie path is set to deploymentInfo#getContextPath, which in both
>> cases returns the empty string.
>>
>> See:
>>
>>
>> io.undertow.servlet.spec.ServletContextImpl.ServletContextImpl(ServletContainer,
>> Deployment)
>>
>> sessionCookieConfig = new SessionCookieConfigImpl(this);
>> sessionCookieConfig.setPath(deploymentInfo.getContextPath());
>>
>> and:
>>
>>
>> io.undertow.servlet.core.DeploymentManagerImpl.handleDeploymentSessionConfig(DeploymentInfo,
>> ServletContextImpl)
>> if(sc.getPath() != null) {
>>     sessionCookieConfig.setPath(sc.getPath());
>> } else {
>>     sessionCookieConfig.setPath(deploymentInfo.getContextPath());
>> }
>>
>> I'm not sure if deploymentInfo#getContextPath should indeed return the
>> empty string for a root deployment or not, but I think setting the cookie
>> path to the empty string is not really correct and should be "/" in that
>> case.
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>

More information about the undertow-dev mailing list