As stated in http://tomcat.apache.org/tomcat-7.0-doc/config/context.html, setting 'cookie' attribute to 'false' should disable the use of cookies for session identifier communication. But it turns out not to work. The JSESSIONID cookie is still generated and saved in browser side. This happens when user doesn't specify "tracking-mode" (http://www.e-zest.net/blog/new-session-management-features-in-servlet-3-0/) in the web.xml, which is the default behavior. Below is some analysis I'd give after doing some debugging with Tomcat's source code (tag: TOMCAT_7_0_27). (setting 'cookie' attribute to 'false' in WEB-INF/context.xml) The JSESSIONID cookie is generated in Request#doGetSession(boolean):line 2891. As no "tracking-mode" is given in web.xml, the call of ServletContext#getEffectiveSessionTrackingModes() falls back to #getDefaultSessionTrackingModes(). There's no problem here. The problem is the ServletContext is initialized before the 'cookie' attribute is read from context.xml. Specifically, StandardContext#getServletContext() is called before ContextConfig#processContextConfig(Digest, URL). Hence, when initializing a ServletContext, the referenced StandardContext's "cookies" field is in default value "true" which wrongly initializes its "defaultSessionTrackingModes" with COOKIE mode! One solution I'd give is when a StandardContext's "cookie" field is changed, re-initialize the referenced ServletContext. Or make sure ContextConfig#processContextConfig(Digest, URL) is called before any StandardContext#getServletContext() call.
(In reply to comment #0) > > (setting 'cookie' attribute to 'false' in WEB-INF/context.xml) > Did you mean META-INF/context.xml or you really mean WEB-INF/context.xml? I cannot observe the described behavior on the latest Tomcat version (7.0.40). Can you provide an example that illustrates the problem against 7.0.40? Regards Violeta
I meant MEAT-INF/. Sorry, I cannot re-produce it in a clean Tomcat server. Previously, I actually encountered this issue in Geronimo 3 which embeds Tomcat 7.0.27 version. So it must be related to the customization in Geronimo server. Marked it as invalid. Thanks for looking into this.