56256 – Multiple cookies and parallel deployment

Bug 56256 - Multiple cookies and parallel deployment

Summary: Multiple cookies and parallel deployment

Status:	RESOLVED INVALID

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	8.0.3
Hardware:	All All

Importance:	P2 minor (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-13 10:19 UTC by Konstantin Kolinko
Modified:	2014-03-14 15:08 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Konstantin Kolinko 2014-03-13 10:19:00 UTC

The following is based on reviewing the code of CoyoteAdapter.postParseRequest(..)

Suppose the following scenario:

1) There are multiple versions of /foo web application.
2) Both /foo and ROOT web application create session cookies
3) A new version of /foo is deployed in parallel to the old one
4) Browser sends several SESSIONID cookies: for the ROOT webapp and for the old version of /foo webapp.

Will the old version of /foo selected in this scenario?

The problem is that Tomcat first selects the only sessionID among several cookies (in CoyoteAdapter.parseSessionCookiesId(..)) and then uses that only sessionID to select webapp version (in CoyoteAdapter.postParseRequest(..)).


All works if there is a cookie that belongs to the latest version of the webapp. On the first mapping the request is mapped to the latest version. Thus 'parseSessionCookiesId(..)' by default looks for sessionid that belongs to the latest version of the web application.

If the cookie belongs to an earlier version, the 'parseSessionCookiesId(..)' method selects sessionID value from the last cookie among SESSIONID cookies sent by browser.

Comment 1 Mark Thomas 2014-03-14 15:08:45 UTC

The call to isRequestedSessionIdValid() checks all versions of the app for a match.