Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-12375

Server returns 2 JSESSIONID cookies

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Major Major
    • None
    • 17.0.1.Final
    • Web (Undertow)

      Please find below the source code of my simplified JAX-RS application:

      @ApplicationPath("myApp")
public class Application extends javax.ws.rs.core.Application {

	public Application() {
	}

	@Override
	public Set<Object> getSingletons() {
		return Collections.singleton(new HelloWorldResource());
	}

}

      @Path("/")
@Produces(MediaType.TEXT_PLAIN)
public class HelloWorldResource {

	@Context
	private HttpServletRequest httpServletRequest;

	@GET
	public Response helloWorld() {
		HttpSession session = this.httpServletRequest.getSession(false);
		return Response.ok(session == null ? "Hello world" : "Bye bye world")
				.cookie(new NewCookie("JSESSIONID", "id", "demo", null, null, -1, false)).build();
	}
}

      When deploying this application in WF 17.0.1.Final and running following request:

      GET http://localhost:8080/demo/myApp/

Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Cookie: JSESSIONID=Hello                  => without this cookie, I only get the cookie I created.

      I get following response

      HTTP/1.1 200 OK
Connection: keep-alive
Set-Cookie: JSESSIONID=id;Version=1;Path=/demo
Set-Cookie: JSESSIONID=hello.vpi070236; path=/demo
Content-Type: text/plain;charset=UTF-8
Content-Length: 11
Date: Tue, 13 Aug 2019 23:28:15 GMT

      As you may notice, there are 2 JSESSIONID cookies in the response:

      • The one I was expecting with "id" value since I created it.
      • Another one created by the server even if I did not ask for it since in my code I don't create no HTTP session. And by the way this JSESSIONID cookie is created but there no server side session created...weird

      Any idea why this second JSESSIONID cookies is created by the server ?

      Since my real application don't use HTTP session at all the workaround I found is to set session tracking mode to URL:

      <web-app>
    <session-config>
        <tracking-mode>URL</tracking-mode>
    </session-config>
 </web-app>

      Thanks

              parsharm Parul Sharma
              nicones Nicolas NESMON (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: