]
Parul Sharma reassigned WFLY-12375:
-----------------------------------
Assignee: Parul Sharma (was: Flavia Rainone)
Server returns 2 JSESSIONID cookies
------------------------------------
Key: WFLY-12375
URL:
https://issues.redhat.com/browse/WFLY-12375
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 17.0.1.Final
Reporter: Nicolas NESMON
Assignee: Parul Sharma
Priority: Major
Labels: COOKIES, JSESSIONID
Please find below the source code of my simplified JAX-RS application:
{code:java}
@ApplicationPath("myApp")
public class Application extends javax.ws.rs.core.Application {
public Application() {
}
@Override
public Set<Object> getSingletons() {
return Collections.singleton(new HelloWorldResource());
}
}
{code}
{code:java}
@Path("/")
@Produces(MediaType.TEXT_PLAIN)
public class HelloWorldResource {
@Context
private HttpServletRequest httpServletRequest;
@GET
public Response helloWorld() {
HttpSession session = this.httpServletRequest.getSession(false);
return Response.ok(session == null ? "Hello world" : "Bye bye
world")
.cookie(new NewCookie("JSESSIONID", "id", "demo", null,
null, -1, false)).build();
}
}
{code}
When deploying this application in WF 17.0.1.Final and running following request:
{noformat}
GET
http://localhost:8080/demo/myApp/
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Cookie: JSESSIONID=Hello => without this cookie, I only get the
cookie I created.
{noformat}
I get following response
{noformat}
HTTP/1.1 200 OK
Connection: keep-alive
Set-Cookie: JSESSIONID=id;Version=1;Path=/demo
Set-Cookie: JSESSIONID=hello.vpi070236; path=/demo
Content-Type: text/plain;charset=UTF-8
Content-Length: 11
Date: Tue, 13 Aug 2019 23:28:15 GMT
{noformat}
As you may notice, there are 2 JSESSIONID cookies in the response:
* The one I was expecting with "id" value since I created it.
* Another one created by the server even if I did not ask for it since in my code I
don't create no HTTP session. And by the way this JSESSIONID cookie is created but
there no server side session created...weird
Any idea why this second JSESSIONID cookies is created by the server ?
Since my real application don't use HTTP session at all the workaround I found is to
set session tracking mode to URL:
{noformat}
<web-app>
<session-config>
<tracking-mode>URL</tracking-mode>
</session-config>
</web-app>
{noformat}
Thanks