[ https://issues.jboss.org/browse/JBWEB-214?page=com.atlassian.jira.plugin.... ] richard groote commented on JBWEB-214: -------------------------------------- I have a question about the status of this issue. In the rfc6265 the below is stated, so it would be nice if the server should not response with multiple session id. In our situation we do not invalidate the session our self. In our situation we're calling a secure page and than the response contains two SetCookie headers. The cause of the problem is the session-config in the web.xml defines that the cookie is secure but the call we make in the browser is http. The next call is a post to the j_security_check and this one will fail with message "session timeout during the login process". The browser (FireFox and Chrome) are not responding to (correctly) to the Set-Cookie in the first request so therefore a incorrect session is send with the j_security_check. It would be nice if the server will response only with one Set-Cookie --- RFC6265 --- Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name. (See Section 5.2 for how user agents handle this case.) -- This message was sent by Atlassian JIRA (v7.5.0#75005)