Bug 49598 - Session update fails and adds second cookie header without header name
Session update fails and adds second cookie header without header name
Status: RESOLVED FIXED
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
6.0.29
All All
: P2 regression (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
: 49641 (view as bug list)
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2010-07-15 17:30 UTC by Mark Thomas
Modified: 2010-11-25 10:42 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Thomas 2010-07-15 17:30:38 UTC
The following code in a Servlet or JSP will cause invalid session cookies to be sent to the client:

HttpSession session = req.getSession(true);
session.invalidate();
req.getSession(true);

Essentially the client will still see the old session cookie and then try and use the now invalidated session, breaking most applications that do this.
Comment 1 Mark Thomas 2010-07-15 17:56:40 UTC
Fixed in 7.0.x and will be in 7.0.1 onwards.

Proposed for 6.0.x
Comment 2 Mark Thomas 2010-07-16 06:27:10 UTC
Fixed in 6.0.x and will be included in 6.0.29 onwards.
Comment 3 Mark Thomas 2010-07-23 07:19:57 UTC
*** Bug 49641 has been marked as a duplicate of this bug. ***
Comment 4 tetsujin 2010-11-25 10:23:09 UTC
The same issue happens even on Tomcat 6.0.29 on both Linux CentOS and Windows XP with exactly the same behaviour. We discovered that migrating from Tomcat 6.0.18

Does there exists a temporary fix ?
Comment 5 Mark Thomas 2010-11-25 10:42:46 UTC
This issue has been fixed in 6.0.29.

If you are experiencing issues, Bugzilla is not a support forum. Please use the users mailing list.