Bug 42419 - Options for changing jsessionid cookie name
Summary: Options for changing jsessionid cookie name
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.0.17
Hardware: All All
: P3 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL: /smol_explorer/login/html/index_html.jsp
Depends on:
Reported: 2007-05-15 01:39 UTC by Cedric de Launois
Modified: 2009-03-24 05:46 UTC (History)
2 users (show)

Diff to add support for changing the value of JSESSIONID (630 bytes, patch)
2008-10-05 15:03 UTC, André-John Mas
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cedric de Launois 2007-05-15 01:39:32 UTC
Feature request for allowing people to change the default 
jsessionid cookie name.

This feature is needed in the following case :

Setup :
- A single Apache web server fronting Tomcat servers 
  AND other proprietary web servers.
- A web applications 'A' is deployed on a Tomcat server, while another 
  web application 'B' is deployed on another proprietary web server. 
  Both applications 'A' and 'B' are accessed through the same IP or DNS 
  name, but with different context-roots.

Problem :
1) A user logs in on application 'A' on a Tomcat server, and does some work.
   The id of his session is retained in a cookie, named "JSESSIONID"
2) web application A redirects the user to an application B on another, 
   proprietary, web server.
3) The user arrives on application B. The session id contained in the cookie
   is not recognized. A new one is created, which replaces the old one.
4) user returns to application A. The session id contained in JSESSIONID cookie
   is the id of a session on a proprietary web server, which obviously does not
   correspond to any session on Tomcat. Thus, Tomcat is unable to retrieve the
   user's session. Session is lost.

In some case, this problem can be fixed by setting the 'emptySessionPath'
attribute to 'false' in Tomcat's server.xml. This will make all JSESSIONID 
cookies target '/context' path instead of '/', and hence preserve the values
of the jessionid cookies. However, this attribute cannot be set to false in 
some scenarios, e.g. when portals are used, which require that jsessionid
cookies be transmitted across applications.

Solution :
A solution is to allow people to configure the name of the jsessionid cookie,
for all applications on a given server, or for a specific application.
In the depicted scenario, this prevents the application server 'B' to overwrite 
the jsessionid cookie of the application 'A'.

Currently, changing the name of the jessionid cookie is not possible, as it is 
harcoded in the following source files (non-exhaustive list) :
 org/apache/catalina/connector/CoyoteAdapter.java (catalina.jar)
 org/apache/catalina/connector/Response.java (catalina.jar)
 org/apache/catalina/realm/RealmBase.java (catalina.jar)
 org/apache/jasper/tagplugins/jstl/Util.java (jasper-compiler.jar)
 native/common/jk_global.h (mod_jk.so)

This feature request applies (at least) to Catalina, Jasper and Native:JK.
Comment 1 Detlev Beutner 2007-05-22 09:37:11 UTC
Beneath changing the cookie's name, additional options are to restrict the 
cookie to a certain domain and/or path. Different servers follow different 
possibilities, just for an overview:



Comment 2 jfclere 2007-06-22 03:57:24 UTC
For front-end instead using mod_jk use mod_proxy (2.2.x) with somthing like for
<Location /myapp1>
    ProxyPass balancer://mycluster1/myapp1 stickysession=XSESSION nofailover=On
<Location /myapp2>
    ProxyPass balancer://mycluster1/myapp2 stickysession=JSESSION nofailover=On
Comment 3 André-John Mas 2008-10-05 11:06:21 UTC
If a change was made, I believe the simplest approach would be allow a system property to override this. I believe JBOSS already does this. Would a patch to Tomcat be accepted to provide this support, if it was developed?
Comment 4 André-John Mas 2008-10-05 15:03:25 UTC
Created attachment 22672 [details]
Diff to add support for changing the value of JSESSIONID

BTW here is the reference to the entry ask for and solving the same issue in the JBOSS database:


Since the definition of the JSESSIONID value is now defined in a single file:


this is the only place a change would need to be made. I have provided a diff using a similar style of coding as used for the STRICT_SERVLET_COMPLIANCE constant. The system parameter that would be used is:

Comment 5 André-John Mas 2008-10-05 15:16:44 UTC
Note that I have opened bug 45951 to deal with Tomcat 6. An equivalent patch has been added there.
Comment 6 André-John Mas 2008-10-06 11:24:39 UTC
Comment on attachment 22672 [details]
Diff to add support for changing the value of JSESSIONID

changing MIME type of attachment.
Comment 7 Mark Thomas 2008-10-06 11:41:50 UTC
A broader patch has been proposed for 5.5.x that additionally:
- makes the path name parameter configurable
- provides documentation
Comment 8 Mark Thomas 2009-03-24 05:46:41 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.