[undertow-dev] JSESSIONID cookie path empty for root deployments

Tomaž Cerar tomaz.cerar at gmail.com
Tue Jun 24 06:14:48 EDT 2014


Hi,

I think this might be fixed in master, at least this commit
https://github.com/wildfly/wildfly/commit/fe642cd253dc91febed2f763a48853aa200a1bd5
was changing this exact behavior.

can you try with wildfly master if it is still the same?

--
tomaz


On Mon, Jun 23, 2014 at 3:16 PM, arjan tijms <arjan.tijms at gmail.com> wrote:

> Hi,
>
> For a root deployment, Undertow by default writes the JSESSIONID cookie
> with an empty path. I.e. in the response header the following appears:
>
> SET-COOKIE: JSESSIONID=FhgSh... path=; ...
>
> An empty path causes browsers to set the cookie on whatever path was used
> for the request URI. In effect, this causes multiple JSESSIONIDs to be
> created while browsing through an app deployed to WildFly, and thus
> multiple JSESSIONIDs being posted back when other paths are accessed
> (leading to many issues).
>
> The cause of this seems to be in
> io.undertow.servlet.spec.ServletContextImpl#ServletContextImpl and
> io.undertow.servlet.core.DeploymentManagerImpl#handleDeploymentSessionConfig,
> where the cookie path is set to deploymentInfo#getContextPath, which in
> both cases returns the empty string.
>
> See:
>
> io.undertow.servlet.spec.ServletContextImpl.ServletContextImpl(ServletContainer,
> Deployment)
>
> sessionCookieConfig = new SessionCookieConfigImpl(this);
> sessionCookieConfig.setPath(deploymentInfo.getContextPath());
>
> and:
>
> io.undertow.servlet.core.DeploymentManagerImpl.handleDeploymentSessionConfig(DeploymentInfo,
> ServletContextImpl)
> if(sc.getPath() != null) {
>     sessionCookieConfig.setPath(sc.getPath());
> } else {
>     sessionCookieConfig.setPath(deploymentInfo.getContextPath());
> }
>
> I'm not sure if deploymentInfo#getContextPath should indeed return the
> empty string for a root deployment or not, but I think setting the cookie
> path to the empty string is not really correct and should be "/" in that
> case.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20140624/1fc0bae0/attachment.html 


More information about the undertow-dev mailing list