HomeResolving JSESSIONID Conflicts

Resolving JSESSIONID Conflicts

Sat, 06/28/2008 - 17:12 — BrianHayward

In order to make your web application stateful, the J2EE Web Container provides a session that can be used to store items needed for future requests. By default, the web container uses a cookie set in the browser named JSESSIONID to store the key for finding this session for future requests.

Lets consider the following scenario:

app1 -> Runs on host1.javasanity.org:8080, CookieDomain: .javasanity.org
app2 -> Runs on host2.javasanity.org:8080, CookieDomain: .javasanity.org

When you connect to app1, it will set a cookie named JSESSIONID with the value that can be used for subsequent requests to the same Web Container for tracking state.

When you connect to app2, it will overwrite your JSESSIONID with it's own. You won't notice a problem until you try to return to app1 though. When you do return to app1, the Web Container won't be able to find the prior session and you'll get a new one again (overwriting the jSESSIONID for app2).

This issue shows up because each cookie domain can only have one cookie of a given name. You can solve this in a few ways:

1. Use separate browsers for each application (IE for one and Firefox for the other). This really isn't a nice solution, but I'm putting it in here because it is a possible choice.
2. Give each application their own Cookie Domain. Perhaps use host1.javasanity.org for the first application and host2.javasanity.org for the second. You can have two cookies with the same name as long as the cookie domains are different.
3. Customize the cookie name for each application. This is usually done within the deployment descriptor of the web application. Note that if you use a web server in front of your application server, you may need to let it know you're using a different cookie name as well.

I think the third solution is the best, in fact I suggest always using unique cookie names, even if you don't have JSESSIONID conflicts. Figuring out why your session data is getting lost can be quite painful - and being proactive from the start will keep you safe if new apps show up in your environment later.

In weblogic, you can adjust the cookie name used by adding this to your weblogic.xml:

<session-descriptor>
  <session-param>
     <param-name>
       CookieName
     </param-name>
     <param-value>
       JSESSIONID_APP1
     </param-value>
  </session-param>
</session-descriptor>

Reply

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <table><tr><td><th><a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options