We have the following situation:
JSESSIONID is sent both by cookies and by URL, but due to Adobe Flash BUG they are different (in fact, the JSESSIONID error in the cookie is incorrect).
We would like to use the JSESSIONID URL instead of the one sent to the cookies. In other words, when I execute request.getSession (), it should return the HttpSession associated with the identifier in the URL and not in the cookie.
We looked at the source code for Tomcat7, and essentially, Tomcat parses the URL first, looking for the identifier. He then overrides it with SESSIONID cookies, if present. Here is the code compressed in CoyoteAdapter.java (tomcat 7.0.26):
String sessionID = null;
if (request.getServletContext().getEffectiveSessionTrackingModes()
.contains(SessionTrackingMode.URL)) {
// Get the session ID if there was one
sessionID = request.getPathParameter(
SessionConfig.getSessionUriParamName(
request.getContext()));
if (sessionID != null) {
request.setRequestedSessionId(sessionID);
request.setRequestedSessionURL(true);
}
}
// Look for session ID in cookies and SSL session
parseSessionCookiesId(req, request);
parseSessionSslId(request);
cookies JSESSIONID , , URL- -. cookie URL.
? ?