https://issues.apache.org/bugzilla/show_bug.cgi?id=56256
Bug ID: 56256
Summary: Multiple cookies and parallel deployment
Product: Tomcat 8
Version: 8.0.3
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: knst.koli...@gmail.com
The following is based on reviewing the code of
CoyoteAdapter.postParseRequest(..)
Suppose the following scenario:
1) There are multiple versions of /foo web application.
2) Both /foo and ROOT web application create session cookies
3) A new version of /foo is deployed in parallel to the old one
4) Browser sends several SESSIONID cookies: for the ROOT webapp and for the old
version of /foo webapp.
Will the old version of /foo selected in this scenario?
The problem is that Tomcat first selects the only sessionID among several
cookies (in CoyoteAdapter.parseSessionCookiesId(..)) and then uses that only
sessionID to select webapp version (in CoyoteAdapter.postParseRequest(..)).
All works if there is a cookie that belongs to the latest version of the
webapp. On the first mapping the request is mapped to the latest version. Thus
'parseSessionCookiesId(..)' by default looks for sessionid that belongs to the
latest version of the web application.
If the cookie belongs to an earlier version, the 'parseSessionCookiesId(..)'
method selects sessionID value from the last cookie among SESSIONID cookies
sent by browser.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
