[jboss-jira] [JBoss JIRA] (WFLY-3617) multiple jsessionids at every path for rootcontext application

Stuart Douglas (JIRA) issues at jboss.org
Fri Jul 11 16:55:24 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-3617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12984432#comment-12984432 ] 

Stuart Douglas edited comment on WFLY-3617 at 7/11/14 4:54 PM:
---------------------------------------------------------------

This should have already been fixed upstream. 

For now there are a few workarounds you can do, the easiest one is to use jboss-web.xml to explicitly set the cookie path to /:

{code}
<?xml version="1.0"?>
<jboss-web>
    <session-config>
       <cookie-config>
          <path>/</path>
       </cookie-config>
    </session-config>
</jboss-web>
<xml>
{code}

Alternativly you can use a ServletContainerInitializer or ServletContextListener to set the path to / explicitly using ServletContext.getSessionCookieConfig


was (Author: swd847):
This should have already been fixed upstream. 

For now there are a few workarounds you can do, the easiest one is to use jboss-web.xml to explicitly set the cookie path to /:

{code}
<?xml version="1.0"?>
<jboss-web>
    <session-config>
       <cookie-config>
          <path>/</path>
       </cookie-config>
    </session-config>
</jboss-web>
<xml>

Alternativly you can use a ServletContainerInitializer or ServletContextListener to set the path to / explicitly using ServletContext.getSessionCookieConfig

> multiple jsessionids at every path for rootcontext application
> --------------------------------------------------------------
>
>                 Key: WFLY-3617
>                 URL: https://issues.jboss.org/browse/WFLY-3617
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>         Environment: redhat linux, 
> openjdk1.7.0.55
> Wildfly 8.1.0.Final
>            Reporter: Ochieng Marembo
>            Assignee: Stuart Douglas
>         Attachments: ApplicationAtContext_config.png, ApplicationAtContext_rootContext.png, ApplicationAtContext_rootContext_NavigateToPath_accounts.png, ApplicationAtContext_rootContext_NavigateToPath_accounts_customer.png
>
>
> 3 Tested Scenarios:
> 1. Deploy war at / with no added path
> 2. Deploy war at /war1 with no paths or added paths
> 3. Deploy war at / with several paths
> Since the first war has no other navigation path, there is only one jsessionid at root /
> For the second war, there are two jsessions, regardless of path: at root / and at contextpath /war1
> The final scenario is the worst. There are jsessionis cookies at every path of the application navigable path: at root / at /path1, at /path1/path2, etc.
> In every path therefore has a session id, and if you logint at /account, and require login to access /account/dashboard, it is impossible to navigate to your /account/dashboard as the application receives a different sessionid, and hence you are redirected (based on application logic) to login page at /account/signin.xhtml, which now shows that you are logged (due to the jsessionid at /account being used during the login process)
> This issue occurs whether i deploy the wars independently or packaged in an ear archive.
> On separate or hosts or on the default host.



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list