Cookie vs jsessionid url token precedence
https://stackoverflow.com/questions/5868448
-
28-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
how is it with Set-Cookie: VS jsessionid url token precedence ?
Apache Tomcat just seem to ignore the token if cookie is set. Isn't it a little inconvenient behavior ? Or is it like this because of security reasons ?
this is the url of the request in servlet
....someParam=addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B'
and ID of the resulting Session corresponds to the cookie request header param...
This means, that it screws up handling of the request. For instance Spring-mvc resolves
someParam value to addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B' and it crashes with exception...
Solution
As per the Servlet 2.4 specification, URL re-writing is the lowest denomination of session tracking so I'm not surprised that jsessionid in the URL is ignored for clients who are accepting cookies. Read the section 7.1 for relevant details (i.e. session tracking).
As far as your updated question is concerned (Spring MVC related), there are a lot of articles/techniques out there which mention how to do away with the excessive baggage of ;jsessionid in your URL by stripping them off using a filter or by using mod_rewrite. Do a google search for "jsessionid in url" and read through the links which follow.
