DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42419>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42419 Summary: Options for changing jsessionid cookie name Product: Tomcat 5 Version: 5.0.17 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P3 Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Feature request for allowing people to change the default jsessionid cookie name. This feature is needed in the following case : Setup : ------- - A single Apache web server fronting Tomcat servers AND other proprietary web servers. - A web applications 'A' is deployed on a Tomcat server, while another web application 'B' is deployed on another proprietary web server. Both applications 'A' and 'B' are accessed through the same IP or DNS name, but with different context-roots. Problem : --------- 1) A user logs in on application 'A' on a Tomcat server, and does some work. The id of his session is retained in a cookie, named "JSESSIONID" 2) web application A redirects the user to an application B on another, proprietary, web server. 3) The user arrives on application B. The session id contained in the cookie is not recognized. A new one is created, which replaces the old one. 4) user returns to application A. The session id contained in JSESSIONID cookie is the id of a session on a proprietary web server, which obviously does not correspond to any session on Tomcat. Thus, Tomcat is unable to retrieve the user's session. Session is lost. In some case, this problem can be fixed by setting the 'emptySessionPath' attribute to 'false' in Tomcat's server.xml. This will make all JSESSIONID cookies target '/context' path instead of '/', and hence preserve the values of the jessionid cookies. However, this attribute cannot be set to false in some scenarios, e.g. when portals are used, which require that jsessionid cookies be transmitted across applications. Solution : ---------- A solution is to allow people to configure the name of the jsessionid cookie, for all applications on a given server, or for a specific application. In the depicted scenario, this prevents the application server 'B' to overwrite the jsessionid cookie of the application 'A'. Currently, changing the name of the jessionid cookie is not possible, as it is harcoded in the following source files (non-exhaustive list) : org/apache/catalina/connector/CoyoteAdapter.java (catalina.jar) org/apache/catalina/connector/Response.java (catalina.jar) org/apache/catalina/realm/RealmBase.java (catalina.jar) org/apache/jasper/tagplugins/jstl/Util.java (jasper-compiler.jar) native/common/jk_global.h (mod_jk.so) This feature request applies (at least) to Catalina, Jasper and Native:JK. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
