Why does Jetty send Set-Cookie header when accessing a path not configured with <session-config/<cookie-config>?

353 Views Asked by Chin At 05 March 2023 at 16:43

I have this configured in my web.xml:

  <session-config>
    <cookie-config>
        <name>JSESSIONID-A</name>
        <path>/pathA</path>
    </cookie-config>
  </session-config>

This works, and when I go to http://myserver/pathA/, I can see the cookie being sent properly:

Set-Cookie: JSESSIONID-A=1piv1lkarbc6519i8bhw9crnzy3; Path=/pathA

However, when accessing a path like http://myserver/ which should not be affected by the <cookie-config> setting above, Jetty also sends the cookie JSESSIONID-A with Path=/pathA:

Set-Cookie: JSESSIONID-A=172kf3dtw84w9atjxhidbby8l4; Path=/pathA

Why does this happen and is there a way to prevent it from happening?

Jetty version is 9.4.46.v20220331

Original Q&A

There are 1 best solutions below

Joakim Erdfelt On 06 March 2023 at 12:32

Per Servlet Spec, the Set-Cookie with JSESSIONID will be created when your code uses HttpServletRequest.getHttpSession()

The <session-config> only allows you to tweak how that cookie is managed, not restrict which paths it can occur on.

Your code dictates which HTTP/URI paths it will occur on.

Why does Jetty send Set-Cookie header when accessing a path not configured with <session-config/<cookie-config>?

There are 1 best solutions below

Related Questions in COOKIES

Related Questions in JETTY

Related Questions in SESSION-COOKIES

Related Questions in JSESSIONID

Trending Questions

Popular # Hahtags

Popular Questions