The cause of this seems to be in io.undertow.servlet.spec.ServletContextImpl#ServletContextImpl and io.undertow.servlet.core.DeploymentManagerImpl#handleDeploymentSessionConfig, where the cookie path is set to deploymentInfo#getContextPath, which in both cases returns the empty string.An empty path causes browsers to set the cookie on whatever path was used for the request URI. In effect, this causes multiple JSESSIONIDs to be created while browsing through an app deployed to WildFly, and thus multiple JSESSIONIDs being posted back when other paths are accessed (leading to many issues).SET-COOKIE: JSESSIONID=FhgSh... path=; ...Hi,For a root deployment, Undertow by default writes the JSESSIONID cookie with an empty path. I.e. in the response header the following appears:
See:
io.undertow.servlet.spec.ServletContextImpl.ServletContextImpl(ServletContainer, Deployment)
sessionCookieConfig = new SessionCookieConfigImpl(this);
sessionCookieConfig.setPath(deploymentInfo.getContextPath());
and:
io.undertow.servlet.core.DeploymentManagerImpl.handleDeploymentSessionConfig(DeploymentInfo, ServletContextImpl)
if(sc.getPath() != null) {
sessionCookieConfig.setPath(sc.getPath());
} else {
sessionCookieConfig.setPath(deploymentInfo.getContextPath());
}I'm not sure if deploymentInfo#getContextPath should indeed return the empty string for a root deployment or not, but I think setting the cookie path to the empty string is not really correct and should be "/" in that case.
Kind regards,
Arjan Tijms
_______________________________________________
undertow-dev mailing list
undertow-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev