since UNDERTOW-1489UNDERTOW-1612UNDERTOW-1676 support for multiple cookies with the same name but different path settings are supported.

If you have multiple webapps in one (wildfly) ear each app registers its own SessionCookieConfig instance with the related path. ( In our case one under root "/" and one under "/theapp".

While logging in in 2 browser tabs 2 JSESSIONID cookies with different path are created.

But preceding calls of "/theapp"-APP returns the wrong sessionid ( the one of "/" ).

So all those calls to protected resources under "/theapp" fails dues to "no session attached"

To get the sessionId the system calls  "getRequestCookie()" on HttpServerExchange with this impl:

public Cookie getRequestCookie(final String name) {
         if (name == null) return null;
         for (Cookie cookie : requestCookies()) {
             if (name.equals(cookie.getName())) {
                // TODO: QUESTION: Shouldn't we check instead of just name also
                // TODO  requestPath (stored in this exchange request path) and
                // TODO: domain (stored in Host HTTP header).  
                return cookie;
             }
         }
         return null;
     }
 

So I think the path must be checked here as well, or?