[jboss-jira] [JBoss JIRA] (WFLY-12375) Server returns 2 JSESSIONID cookies

Nicolas NESMON (Jira) issues at jboss.org
Tue Aug 13 20:00:00 EDT 2019 

     [ https://issues.jboss.org/browse/WFLY-12375?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nicolas NESMON updated WFLY-12375:
----------------------------------
    Description: 
Please find below the source code of my simplified JAX-RS application:

{code:java}
@ApplicationPath("myApp")
public class Application extends javax.ws.rs.core.Application {

	public Application() {
	}

	@Override
	public Set<Object> getSingletons() {
		return Collections.singleton(new HelloWorldResource());
	}

}
{code}

{code:java}
@Path("/")
@Produces(MediaType.TEXT_PLAIN)
public class HelloWorldResource {

	@Context
	private HttpServletRequest httpServletRequest;

	@GET
	public Response helloWorld() {
		HttpSession session = this.httpServletRequest.getSession(false);
		return Response.ok(session == null ? "Hello world" : "Bye bye world")
				.cookie(new NewCookie("JSESSIONID", "id", "demo", null, null, -1, false)).build();
	}
}
{code}

When deploying this application in WF 17.0.1.Final and running following request:
{noformat}
GET http://localhost:8080/demo/myApp/

Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Cookie: JSESSIONID=Hello                  => without this cookie, I only get the cookie I created.
{noformat}

I get following response
{noformat}
HTTP/1.1 200 OK
Connection: keep-alive
Set-Cookie: JSESSIONID=id;Version=1;Path=/demo
Set-Cookie: JSESSIONID=hello.vpi070236; path=/demo
Content-Type: text/plain;charset=UTF-8
Content-Length: 11
Date: Tue, 13 Aug 2019 23:28:15 GMT
{noformat}

As you may notice, there are 2 JSESSIONID cookies in the response:
* The one I was expecting with "id" value since I created it.
* Another one created by the server even if I did not ask for it since in my code I don't  create no HTTP session. And by the way this JSESSIONID cookie is created but there no server side session created...weird

Any idea why this second JSESSIONID cookies is created by the server ?

Since my real application don't use HTTP session at all the workaround I found is to set session tracking mode to URL:

{noformat}
<web-app>
    <session-config>
        <tracking-mode>URL</tracking-mode>
    </session-config>
 </web-app>
{noformat}

Thanks


  was:
Please find below the source code of my simple JAX-RS application:

{code:java}
@ApplicationPath("myApp")
public class Application extends javax.ws.rs.core.Application {

	public Application() {
	}

	@Override
	public Set<Object> getSingletons() {
		return Collections.singleton(new HelloWorldResource());
	}

}
{code}

{code:java}
@Path("/")
@Produces(MediaType.TEXT_PLAIN)
public class HelloWorldResource {

	@Context
	private HttpServletRequest httpServletRequest;

	@GET
	public Response helloWorld() {
		HttpSession session = this.httpServletRequest.getSession(false);
		return Response.ok(session == null ? "Hello world" : "Bye bye world")
				.cookie(new NewCookie("JSESSIONID", "id", "demo", null, null, -1, false)).build();
	}
}
{code}

When deploying this application in WF 17.0.1.Final and running following request:
{noformat}
GET http://localhost:8080/demo/myApp/

Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Cookie: JSESSIONID=Hello                  => without this cookie, I only get the cookie I created.
{noformat}

I get following response
{noformat}
HTTP/1.1 200 OK
Connection: keep-alive
Set-Cookie: JSESSIONID=id;Version=1;Path=/demo
Set-Cookie: JSESSIONID=hello.vpi070236; path=/demo
Content-Type: text/plain;charset=UTF-8
Content-Length: 11
Date: Tue, 13 Aug 2019 23:28:15 GMT
{noformat}

As you may notice, there are 2 JSESSIONID cookies in the response:
* The one I was expecting with "id" value since I created it.
* Another own created by the server even if I did not ask for it since in my code I don't  create no HTTP session.

Any idea why this second JSESIONID cookies is created by the server ?

Thanks




> Server returns 2 JSESSIONID cookies 
> ------------------------------------
>
>                 Key: WFLY-12375
>                 URL: https://issues.jboss.org/browse/WFLY-12375
>             Project: WildFly
>          Issue Type: Enhancement
>          Components: EE
>    Affects Versions: 17.0.1.Final
>            Reporter: Nicolas NESMON
>            Assignee: Brian Stansberry
>            Priority: Major
>              Labels: COOKIES, JSESSIONID
>
> Please find below the source code of my simplified JAX-RS application:
> {code:java}
> @ApplicationPath("myApp")
> public class Application extends javax.ws.rs.core.Application {
> 	public Application() {
> 	}
> 	@Override
> 	public Set<Object> getSingletons() {
> 		return Collections.singleton(new HelloWorldResource());
> 	}
> }
> {code}
> {code:java}
> @Path("/")
> @Produces(MediaType.TEXT_PLAIN)
> public class HelloWorldResource {
> 	@Context
> 	private HttpServletRequest httpServletRequest;
> 	@GET
> 	public Response helloWorld() {
> 		HttpSession session = this.httpServletRequest.getSession(false);
> 		return Response.ok(session == null ? "Hello world" : "Bye bye world")
> 				.cookie(new NewCookie("JSESSIONID", "id", "demo", null, null, -1, false)).build();
> 	}
> }
> {code}
> When deploying this application in WF 17.0.1.Final and running following request:
> {noformat}
> GET http://localhost:8080/demo/myApp/
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
> Pragma: no-cache
> Cache-Control: no-cache
> Cookie: JSESSIONID=Hello                  => without this cookie, I only get the cookie I created.
> {noformat}
> I get following response
> {noformat}
> HTTP/1.1 200 OK
> Connection: keep-alive
> Set-Cookie: JSESSIONID=id;Version=1;Path=/demo
> Set-Cookie: JSESSIONID=hello.vpi070236; path=/demo
> Content-Type: text/plain;charset=UTF-8
> Content-Length: 11
> Date: Tue, 13 Aug 2019 23:28:15 GMT
> {noformat}
> As you may notice, there are 2 JSESSIONID cookies in the response:
> * The one I was expecting with "id" value since I created it.
> * Another one created by the server even if I did not ask for it since in my code I don't  create no HTTP session. And by the way this JSESSIONID cookie is created but there no server side session created...weird
> Any idea why this second JSESSIONID cookies is created by the server ?
> Since my real application don't use HTTP session at all the workaround I found is to set session tracking mode to URL:
> {noformat}
> <web-app>
>     <session-config>
>         <tracking-mode>URL</tracking-mode>
>     </session-config>
>  </web-app>
> {noformat}
> Thanks



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list