Geek Answers Handbook

What is an empty session path in tomcat?

I read the apache tomcat documentation the day before, and I got so confused about emptySessionPath . As far as I know, if it is set to true, emptySessionPath is stored in the root folder of the web application. Please give the correct definition of the term emptySessionPath and what happens if it is set to true and false?

Please guide me. Thanks in advance.

+6
java tomcat webserver tomcat6 connector
source share
4 answers

The emptySessionPath field indicates whether the entire cookie should be stored in the root URL / (if emptySessionPath=true ) or not (otherwise).

This is used by the Apache connector. See Details here (This is for the AJP connector, which is part of the Connnector object).

This basically means:

If emptySessionPath included in tomcat, the JSESSIONID cookie JSESSIONID written to the root path "/". This means that no matter which website you are on, you will use the same cookie. Each webapp will overwrite the cookie value to hold this webapp session id and they are all different.

When this is turned on and the servlets are using different webapps, requests from the same user to the other servlets will end up being cookies, so when the servlet interacts with it again, it will create a new session and release the session already configured.

If emptySessionPath not set, these are several cookies in the browser, one for each webapp (not root), so different webapps do not rewrite each other cookies as above.

JSESSIONID is the session ID for your Webapp. Full description here .

Update: this usage information is somewhat outdated - see here for more up-to-date information on how to set the Session Path also for a recent cat.

+7
source share

If emptySessionPath is set to true, it will remove the context path from the JSESSIONID cookie. It will set the cookie path for /. This attribute can be used for cross-application authentication mechanism.

+5
source share

A session, as you probably know, is often supported by cookies. A cookie has two values ​​that determine whether they should be returned by the browser for a specific request, cookieDomain and cookiePath. The cookie must match the request.

Request for

  /some/request/for/this.html

The cookie will be returned using the path to the cookie:

  / /some /some/request

But not for the cookie path:

  /other

By specification, a session is not shared between different web applications, so if you have the foo.war web application deployed to /foo , the session cookie path will be set to /foo by default.

Connector.emptySessionPath seems to be a protected variable on the connector. I have not read the code - but I think this has something to do with a Tomcat one-time subscription or sharing sessions where you enter the same context and authenticate at all - in this case the cookie path should be / for session cookies .

+4
source share

Just in case, for web_app 3.0, the cookie configuration is standardized, so the equivalent of AJP is emptySessionPath in webapp 3.0:

<session configuration>
<cookie configurations>
<& path GT; / </ path>
<& provide GT, true </ & secure GT;
</ cookie configuration>
</ session configuration>

0
source share

More articles:


All Articles