Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49525

Cookies for ROOT context need a path of /

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@959754 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
index 4739fc3..b8d32bb 100644 (file)
--- a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
+++ b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
@@ -156,6 +156,11 @@ public class ApplicationSessionCookieConfig implements SessionCookieConfig {
         if (contextPath == null || contextPath.length() == 0) {
             contextPath = context.getEncodedPath();
         }
+        // Handle special case of ROOT context where cookies require a path of
+        // '/' but the servlet spec uses an empty string
+        if (contextPath.length() == 0) {
+            contextPath = "/";
+        }
         cookie.setPath(contextPath);
 
         return cookie;

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d79b9c9..7d6de84 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -79,6 +79,10 @@
         Use a LockOutRealm in the default configuration to prevent attempts to
         guess user passwords by brute-force. (markt)
       </add>
+      <fix>
+        <bug>49525</bug>: Ensure cookies for the ROOT context have a path of /
+        rather than an empty string. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">