Issue
I am using Tomcat 8.0.35 for my web application. This post
https://www.logicbig.com/tutorials/java-ee-tutorial/java-servlet/session-tracking-mode.html
says that we can use multiple tracking-mode elements within a single session-config element in the web.xml
<web-app>
<session-config>
<tracking-mode>???</tracking-mode>
</session-config>
</web-app>
I am not able to find the additional information about "multiple tracking-mode elements". What could be Tomcat's behavior if I have the following?
<web-app>
<session-config>
<tracking-mode>URL</tracking-mode>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
</web-app>
Solution
The answer to the question can be found in org.apache.catalina.connector.CoyoteAdapter#postParseRequest
The following code is from tomcat 8.5:
String sessionID;
if (request.getServletContext().getEffectiveSessionTrackingModes()
.contains(SessionTrackingMode.URL)) {
// Get the session ID if there was one
sessionID = request.getPathParameter(
SessionConfig.getSessionUriParamName(
request.getContext()));
if (sessionID != null) {
request.setRequestedSessionId(sessionID);
request.setRequestedSessionURL(true);
}
}
// Look for session ID in cookies and SSL session
parseSessionCookiesId(request);
parseSessionSslId(request);
sessionID = request.getRequestedSessionId();
The following happens:
- If tomcat is allowed to use URL session trcking it tries to find a sessionId in the URL request
- If it's allowed to use cookie tracking - it looks for session id in the cookies. It takes precedence, regardless if there was a session id in the request or not.
- (Not part of your question, but for completeness) SSL Session tracking is used if and only if it's the only allowed tracking mode. Otherwise it will be ignored.
I do not know why the URL tracking was not extracted in a sepratate method like for the SSL and Cookie tracking modes, but they look almost identical:
- Check if the mode is enabled
- Try to find SessionId
- Set the Session ID in the Request object.
Answered By - Svetlin Zarev