Server returns 2 JSESSIONID cookies ------------------------------------ Key: WFLY-12375 URL: https://issues.redhat.com/browse/WFLY-12375 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 17.0.1.Final Reporter: Nicolas NESMON Assignee: Parul Sharma Priority: Major Labels: COOKIES, JSESSIONID Please find below the source code of my simplified JAX-RS application: {code:java} @ApplicationPath("myApp") public class Application extends javax.ws.rs.core.Application { public Application() { } @Override public Set<Object> getSingletons() { return Collections.singleton(new HelloWorldResource()); } } {code} {code:java} @Path("/") @Produces(MediaType.TEXT_PLAIN) public class HelloWorldResource { @Context private HttpServletRequest httpServletRequest; @GET public Response helloWorld() { HttpSession session = this.httpServletRequest.getSession(false); return Response.ok(session == null ? "Hello world" : "Bye bye world") .cookie(new NewCookie("JSESSIONID", "id", "demo", null, null, -1, false)).build(); } } {code} When deploying this application in WF 17.0.1.Final and running following request: {noformat} GET http://localhost:8080/demo/myApp/ Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache Cookie: JSESSIONID=Hello => without this cookie, I only get the cookie I created. {noformat} I get following response {noformat} HTTP/1.1 200 OK Connection: keep-alive Set-Cookie: JSESSIONID=id;Version=1;Path=/demo Set-Cookie: JSESSIONID=hello.vpi070236; path=/demo Content-Type: text/plain;charset=UTF-8 Content-Length: 11 Date: Tue, 13 Aug 2019 23:28:15 GMT {noformat} As you may notice, there are 2 JSESSIONID cookies in the response: * The one I was expecting with "id" value since I created it. * Another one created by the server even if I did not ask for it since in my code I don't create no HTTP session. And by the way this JSESSIONID cookie is created but there no server side session created...weird Any idea why this second JSESSIONID cookies is created by the server ? Since my real application don't use HTTP session at all the workaround I found is to set session tracking mode to URL: {noformat} <web-app> <session-config> <tracking-mode>URL</tracking-mode> </session-config> </web-app> {noformat} Thanks