Bug 54980 - Setting 'cookies' attribute to 'false' in context still generate JSESSIONID cookie
Summary: Setting 'cookies' attribute to 'false' in context still generate JSESSIONID c...
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.27
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-16 07:28 UTC by Emac
Modified: 2013-05-24 03:28 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Emac 2013-05-16 07:28:08 UTC 
As stated in http://tomcat.apache.org/tomcat-7.0-doc/config/context.html, setting 'cookie' attribute to 'false' should disable the use of cookies for session identifier communication. But it turns out not to work. The JSESSIONID cookie is still generated and saved in browser side.

This happens when user doesn't specify "tracking-mode" (http://www.e-zest.net/blog/new-session-management-features-in-servlet-3-0/) in the web.xml, which is the default behavior.


Below is some analysis I'd give after doing some debugging with Tomcat's source code (tag: TOMCAT_7_0_27).

(setting 'cookie' attribute to 'false' in WEB-INF/context.xml)

The JSESSIONID cookie is generated in Request#doGetSession(boolean):line 2891. As no "tracking-mode" is given in web.xml, the call of ServletContext#getEffectiveSessionTrackingModes() falls back to #getDefaultSessionTrackingModes(). There's no problem here.

The problem is the ServletContext is initialized before the 'cookie' attribute is read from context.xml. Specifically, StandardContext#getServletContext() is called before ContextConfig#processContextConfig(Digest, URL).

Hence, when initializing a ServletContext, the referenced StandardContext's "cookies" field is in default value "true" which wrongly initializes its "defaultSessionTrackingModes" with COOKIE mode!

One solution I'd give is when a StandardContext's "cookie" field is changed, re-initialize the referenced ServletContext.

Or make sure ContextConfig#processContextConfig(Digest, URL) is called before any StandardContext#getServletContext() call.
Comment 1 Violeta Georgieva 2013-05-23 16:09:41 UTC 
(In reply to comment #0)
> 
> (setting 'cookie' attribute to 'false' in WEB-INF/context.xml)
> 

Did you mean META-INF/context.xml or you really mean WEB-INF/context.xml?


I cannot observe the described behavior on the latest Tomcat version (7.0.40).


Can you provide an example that illustrates the problem against 7.0.40?


Regards
Violeta
Comment 2 Emac 2013-05-24 03:28:53 UTC 
I meant MEAT-INF/.

Sorry, I cannot re-produce it in a clean Tomcat server. Previously, I actually encountered this issue in Geronimo 3 which embeds Tomcat 7.0.27 version. So it must be related to the customization in Geronimo server.

Marked it as invalid. Thanks for looking into this.