[jboss-jira] [JBoss JIRA] (WFLY-3617) multiple jsessionids at every path for rootcontext application

Ochieng Marembo (JIRA) issues at jboss.org
Fri Jul 11 16:41:24 EDT 2014 

     [ https://issues.jboss.org/browse/WFLY-3617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ochieng Marembo updated WFLY-3617:
----------------------------------

    Attachment: ApplicationAtContext_config.png
                ApplicationAtContext_rootContext.png
                ApplicationAtContext_rootContext_NavigateToPath_accounts.png
                ApplicationAtContext_rootContext_NavigateToPath_accounts_customer.png


The attached images shows the jsessionids as viewed on chrome.
The same scenario is repeated on firefox

> multiple jsessionids at every path for rootcontext application
> --------------------------------------------------------------
>
>                 Key: WFLY-3617
>                 URL: https://issues.jboss.org/browse/WFLY-3617
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>         Environment: redhat linux, 
> openjdk1.7.0.55
> Wildfly 8.1.0.Final
>            Reporter: Ochieng Marembo
>            Assignee: Stuart Douglas
>         Attachments: ApplicationAtContext_config.png, ApplicationAtContext_rootContext.png, ApplicationAtContext_rootContext_NavigateToPath_accounts.png, ApplicationAtContext_rootContext_NavigateToPath_accounts_customer.png
>
>
> 3 Tested Scenarios:
> 1. Deploy war at / with no added path
> 2. Deploy war at /war1 with no paths or added paths
> 3. Deploy war at / with several paths
> Since the first war has no other navigation path, there is only one jsessionid at root /
> For the second war, there are two jsessions, regardless of path: at root / and at contextpath /war1
> The final scenario is the worst. There are jsessionis cookies at every path of the application navigable path: at root / at /path1, at /path1/path2, etc.
> In every path therefore has a session id, and if you logint at /account, and require login to access /account/dashboard, it is impossible to navigate to your /account/dashboard as the application receives a different sessionid, and hence you are redirected (based on application logic) to login page at /account/signin.xhtml, which now shows that you are logged (due to the jsessionid at /account being used during the login process)
> This issue occurs whether i deploy the wars independently or packaged in an ear archive.
> On separate or hosts or on the default host.



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list