7

I have read apache tomcat documentation a day before, and I am so confused about emptySessionPath . Up to my knowledge, if it's set to true, the emptySessionPath is stored at the root folder of web application. Please give the right definition of the term emptySessionPath and what happens if it is set to true and false?

Please guide me.Thanks in advance.

Buhake Sindi
  • 87,898
  • 29
  • 167
  • 228
Muneeswaran Balasubramanian
  • 3,839
  • 8
  • 31
  • 43

4 Answers4

8

The emptySessionPath field just states whether the all cookie should be stored in the root URL path / (if emptySessionPath=true) or not (otherwise).

This is used by Apache's Connector. See details here (This is for AJP Connector, which is part of the Connnector object).

What this basically means is:

If emptySessionPath is enabled in tomcat, the JSESSIONID cookie is written to the root "/" path. This means that whatever webapp you are on will use the same cookie. Each webapp will re-write the cookie's value to hold that webapp's session id, and they are all different.

When this is enabled and servlets in different webapps are used, requests from the same user to different servlets will end up overwriting the cookie so that when the servlet is again interacted with it will create a new session and loose the session it had already set up.

If emptySessionPath is not set, there are multiple cookies in the browser, one for each webapp (none at the root), so different webapps are not re-writing each other's cookie as above.

JSESSIONID is the ID Session for your Webapp. See a full explanation here.

Update: This information about usage is somewhat outdated - see here for a more up-to-date information on how to set the Session path also for recent tomcat.

Community
  • 1
  • 1
Buhake Sindi
  • 87,898
  • 29
  • 167
  • 228
  • Hi elite,Please explain further more what happened if emptysessionpath is not set? – Muneeswaran Balasubramanian Dec 02 '10 at 13:40
  • @Muneeswaran Balasubramanian, if you read my first link, the default value is `false` if not set. Also, read the last paragraph on the blocked section, it explains if `emptySessionPath` is not set. – Buhake Sindi Dec 02 '10 at 13:45
  • ya.i can't understand your last paragraph on the blocked section,so only i ask to u.please explain further more. – Muneeswaran Balasubramanian Dec 02 '10 at 14:08
  • In my application,i have send the request after session expired.If that request is http request that works fine.But if that request is Ajax request,the url is changed but the page is not loaded.But after i set the emptysessionpath is true.All works well.SO what happens between this?If you can please explain. – Muneeswaran Balasubramanian Dec 02 '10 at 14:11
  • Ajax won't reload the page since you're doing an asynchronous call to the server hence why it never reload the page. I can't really explain why everything works well when `emptySessionPath` is set. – Buhake Sindi Dec 02 '10 at 14:56
5

If emptySessionPath is set to true, it will eliminate the context path from JSESSIONID cookie.It will set a cookie path to /.This attribute can be used for cross application autehentication mechanism.

UVM
  • 9,776
  • 6
  • 41
  • 66
4

Session are, as you probably know, often maintained by a cookie. A cookie has two values that determines whether they should be returned by the browser for a certain request, cookieDomain and cookiePath. The cookiePath must match that of the request.

A request is made for

 /some/request/for/this.html

Cookie would be returned with cookie path:

 / 
 /some
 /some/request

But not for cookie path:

 /other

By spec, a session is not shared between different web applications, so if you have web application foo.war deployed under /foo, the session cookie path would, by default be set to /foo.

It seems Connector.emptySessionPath is a protected variable on Connector. I haven't read the code - but I guess it has something to do with Tomcat's single sign on or sharing sessions, where you login to one context and are authenticated in all - in which case the cookie path must be / for the session cookies.

Martin Algesten
  • 13,052
  • 4
  • 54
  • 77
0

Just in case, for the web_app version 3.0, the cookie configuration is standarized, so the equivalent to the AJP's emptySessionPath in webapp 3.0 is:

<session-config>
<cookie-config>
<path>/</path>
<secure>true</secure>
</cookie-config>
</session-config>

Carlos Saltos
  • 1,385
  • 15
  • 15