0

I have a web app for which I'd like time-based sessions, so that refreshing the page or reloading on another tab keeps the same one. So, in web.xml I have:

<servlet-mapping>
    <servlet-name>any</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>

<session-config>
    <session-timeout>30</session-timeout> 
    <cookie-config>
        <name>sid</name>
        <max-age>1800</max-age>
    </cookie-config>
</session-config>

The cookie is set with proper expiration, its path is /app/, according to my context name. Now, if I make requests to URLs like /app/ or /app/main, the cookie is passed. However, the root context path of /app does not send the cookie. Even if I add ...

<path>/app</path>

... in the above cookie-config, the cookie path in the browser is the same /app/. Is there any workaround for this strange behaviour?

Apache Tomcat/8.0.28

Laszlo B
  • 455
  • 3
  • 14

1 Answers1

1

The behvaiour isn't strange, it is there for security reasons.

The behaviour is also configurable but make sure you understand the security implications of changing the default.

Configuration is via the sessionCookiePathUsesTrailingSlash attribute of the Context element in server.xml. For full details see the Context documentation.

Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • Thanks. So, if in the same domain I don't have another context with a name that starts with the currently configured context name, then I can safely use this attribute, and omit the trailing slash from the URLs? – Laszlo B Dec 12 '15 at 11:03