Cookie vs jsessionid url token precedence

ho开发者_StackOverflow社区w is it with Set-Cookie: VS jsessionid url token precedence ?

Apache Tomcat just seem to ignore the token if cookie is set. Isn't it a little inconvenient behavior ? Or is it like this because of security reasons ?

this is the url of the request in servlet

....someParam=addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B'

and ID of the resulting Session corresponds to the cookie request header param...

This means, that it screws up handling of the request. For instance Spring-mvc resolves someParam value to addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B' and it crashes with exception...

As per the Servlet 2.4 specification, URL re-writing is the lowest denomination of session tracking so I'm not surprised that jsessionid in the URL is ignored for clients who are accepting cookies. Read the section 7.1 for relevant details (i.e. session tracking).

As far as your updated question is concerned (Spring MVC related), there are a lot of articles/techniques out there which mention how to do away with the excessive baggage of ;jsessionid in your URL by stripping them off using a filter or by using mod_rewrite. Do a google search for "jsessionid in url" and read through the links which follow.