[jboss-jira] [JBoss JIRA] (WFLY-12375) Server returns 2 JSESSIONID cookies
Brian Stansberry (Jira)
issues at jboss.org
Wed Aug 14 10:58:00 EDT 2019
[ https://issues.jboss.org/browse/WFLY-12375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13770866#comment-13770866 ]
Brian Stansberry commented on WFLY-12375:
-----------------------------------------
AIUI the suggested bug here is that the inclusion of a JSESSIONID cookie in the request is resulting in the creation of a session object when one doesn't exist.
> Server returns 2 JSESSIONID cookies
> ------------------------------------
>
> Key: WFLY-12375
> URL: https://issues.jboss.org/browse/WFLY-12375
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 17.0.1.Final
> Reporter: Nicolas NESMON
> Assignee: Flavia Rainone
> Priority: Major
> Labels: COOKIES, JSESSIONID
>
> Please find below the source code of my simplified JAX-RS application:
> {code:java}
> @ApplicationPath("myApp")
> public class Application extends javax.ws.rs.core.Application {
> public Application() {
> }
> @Override
> public Set<Object> getSingletons() {
> return Collections.singleton(new HelloWorldResource());
> }
> }
> {code}
> {code:java}
> @Path("/")
> @Produces(MediaType.TEXT_PLAIN)
> public class HelloWorldResource {
> @Context
> private HttpServletRequest httpServletRequest;
> @GET
> public Response helloWorld() {
> HttpSession session = this.httpServletRequest.getSession(false);
> return Response.ok(session == null ? "Hello world" : "Bye bye world")
> .cookie(new NewCookie("JSESSIONID", "id", "demo", null, null, -1, false)).build();
> }
> }
> {code}
> When deploying this application in WF 17.0.1.Final and running following request:
> {noformat}
> GET http://localhost:8080/demo/myApp/
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
> Pragma: no-cache
> Cache-Control: no-cache
> Cookie: JSESSIONID=Hello => without this cookie, I only get the cookie I created.
> {noformat}
> I get following response
> {noformat}
> HTTP/1.1 200 OK
> Connection: keep-alive
> Set-Cookie: JSESSIONID=id;Version=1;Path=/demo
> Set-Cookie: JSESSIONID=hello.vpi070236; path=/demo
> Content-Type: text/plain;charset=UTF-8
> Content-Length: 11
> Date: Tue, 13 Aug 2019 23:28:15 GMT
> {noformat}
> As you may notice, there are 2 JSESSIONID cookies in the response:
> * The one I was expecting with "id" value since I created it.
> * Another one created by the server even if I did not ask for it since in my code I don't create no HTTP session. And by the way this JSESSIONID cookie is created but there no server side session created...weird
> Any idea why this second JSESSIONID cookies is created by the server ?
> Since my real application don't use HTTP session at all the workaround I found is to set session tracking mode to URL:
> {noformat}
> <web-app>
> <session-config>
> <tracking-mode>URL</tracking-mode>
> </session-config>
> </web-app>
> {noformat}
> Thanks
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list