Bug 45921

Hello,

According to SRV.7.1.3 of the Servlet specs, "URL rewriting is the lowest common denominator of session tracking. When a client will not accept a cookie, URL rewriting may be used by the server as the basis for session tracking".
Let's now consider the following case:

- A user accesses to an app that creates a session for that user. This means the response will contain a cookie with that session id.
- At some point, the cookie stored into the user's browser might not be valid anymore (let's say we invalidated that session from Tomcat).
- Now imagine that the user (who still has his browser opened, so the cookie is still there) now clicks a link pointing to the same app, but that includes a different (and valid) jsessionid embedded into the URL.

Under this case, the application is receiving a request that contains 2 references to a session: 1 jsessionid coming from a cookie (which is invalid because we manually expired that session from the server) and 1 jsessionid coming from the URL (which is valid because it belongs to a session still active).

When we call request.getSession(true) on the app, Tomcat checks that the jsessionid from the cookie is invalid, and returns a new session. Instead, after verifying that the jsessionid from the cookie is invalid, it should check if there's any valid jsessionid coming through the URL. If so, it should return that session and not create a new one. Apparently, a jsessionid coming through a URL is just considered when there's no jsessionid cookie on the request.

Thanks.