Ensure session cookie paths end in / so that session cookies created for a context...

/foobar

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1100992 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
index b8d32bb..c4543a3 100644 (file)
--- a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
+++ b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
@@ -158,8 +158,10 @@ public class ApplicationSessionCookieConfig implements SessionCookieConfig {
         }
         // Handle special case of ROOT context where cookies require a path of
         // '/' but the servlet spec uses an empty string
-        if (contextPath.length() == 0) {
-            contextPath = "/";
+        // Also ensure the cookies for a context with a path of /foo don't get
+        // sent for requests with a path of /foobar
+        if (!contextPath.endsWith("/")) {
+            contextPath = contextPath + "/";
         }
         cookie.setPath(contextPath);
 

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 05911d4..48f3abf 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -71,6 +71,12 @@
         ServletRequest#getServerPort() and ServletRequest#getLocalPort() when
         Tomcat is behind a reverse proxy. (markt)
       </add>
+      <fix>
+        Ensure session cookie paths end in <code>/</code> so that session
+        cookies created for a context with a path of <code>/foo</code> do not
+        get returned with requests mapped to a context with a path of
+        <code>/foobar</code>. (markt)  
+      </fix>
     </changelog>
   </subsection>
 </section>