this is somewhat of an interesting use case, however, what if this happens:
..session usage..
..headers get committed..
..session invalidate..
..new session creation..
I don't see how the old solution would work around the problem either.
no matter where you put the cookie creation, once the response is
committed, and you try to create a new session, there is no way to set
that cookie.
Although I would agree that sending down 3 session cookies doesn't seem
right.
what would seem appropriate would be to do this:
1. Prevent multiple cookies, ie, swap out the old cookie. Only one
session id should be sent down
2. throw an illegal state exception if a session.create is called after
the response headers are committed.
Filip
Arvind Srinivasan wrote:
Hi,
In Tomcat 5.x and 6.x, the JSESSIONID Set-Cookie header is added to
the response during session creation (in Request.doGetSession),
whereas in Tomcat 4.x this used to be done during
Response.sendHeaders(). Not that it causes any problems, but TC
5.x/6.x responses can contain JSESSIONID Set-Cookie headers even when
there is no session or can contain multiple JSESSIONID Set-Cookie
headers (examples at the end of this mail)
Was there a problem in TC4.x when the JSESSIONID cookie was added when
the response headers were committed and hence this logic had to be
moved to Request.doGetSession in TC5.x/6.x?
Thanks,
Arvind
% cat webapps/ROOT/session1.jsp
<%
session.invalidate();
out.print("request.getSession(false)=");
if (request.getSession(false) == null)
out.println("null");
else
out.println(session);
%>
GET /session1.jsp HTTP/1.0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=152B8151F108C614BB90FF20F4304340; Path=/
Content-Type: text/html
Content-Length: 35
Date: Fri, 30 Mar 2007 12:21:45 GMT
Connection: close
request.getSession(false)=null
---------------------------------------------------
% cat webapps/ROOT/session2.jsp
<%
session.invalidate();
session = request.getSession(true);
session.invalidate();
session = request.getSession(true);
out.print("request.getSession(false)=");
if (request.getSession(false) == null)
out.println("null");
else
out.println(session);
%>
GET /session2.jsp HTTP/1.0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A37F56FC791DE3D5A25B0D31109C6D47; Path=/
Set-Cookie: JSESSIONID=6766CBEEF3D3093773D75F59A95E2E54; Path=/
Set-Cookie: JSESSIONID=133C6FFF6E09ABD71E79DE84F68479BC; Path=/
Content-Type: text/html
Content-Length: 87
Date: Fri, 30 Mar 2007 12:23:01 GMT
Connection: close
request.getSession(false)[EMAIL PROTECTED]
---------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
