Hi,
I have a session problem when I configure a web app as the default web module of my server (GlassFish v2.1). When I do so and I hit the index page of my web app (www.domain.com), the JSESSIONID cookie gets created with a path of "/". After the user logs in, he's redirected and the URL gets changed to "www.domain.com/webapp1/something.jsf". Later on, the user logs out. In the logout process, we invalidate the HTTP session. That process causes the creation of a new JSESSIONID but this time with a path of "/webapp1". Right after logout, if the user uses a bookmark to access the domain directly (www.domain.com) or types in the URL in the browser, he'll get redirected back to the index page and another JSESSIONID cookie with a path of "/" will be created. When he tries to login, we now have 2 JSESSIONID cookies that get sent to the server with the login request (one with a path of "/" and one with a path of "/webapp1"). This is causing a problem because the JSF index page's state is stored in the session with a root of "/" but since the login request targets "/webapp1", the session that is used to process that request is the one with a path of "/webapp1" and it doesn't contain the view state that was just rendered (the login request fails with a ViewExpiredException; we use the "server" as the "javax.faces.STATE_SAVING_METHOD").
I tried a couple of things to fix this but they all have something wrong:
1. I configured the cookiePath in the sun-web.xml of my web app to force "/webapp1". When the user accesses the index page, the path of the JSESSIONID gets properly set to "/webapp1". The problem is that as soon as the browser requests the "/favicon.ico" file, a new JSESSIONID well get created with a path of "/". Then, we wind up with 2 JSESSIONID cookies again and the problem comes back.
2. I tried the same thing but setting the cookiePath to "/". Now, when the user logs out, even if the logout request is done in the "/webapp1" context, the new JSESSIONID gets created with a path of "/". Everything works fine but I'm afraid we might run into this problem again when we deploy another web app on the same domain; 2 JSESSIONID cookies will be passed around to requests to the second web app: one created by webbapp1 with a path of "/" and one with a path of "/webapp2" created by the second web app (obviously, all links within the second web app will always need to specify the web app name in the URL because there can only be one default web module for the domain name and that is already configured to webapp1).
3. I tried not configuring the default web module and overriding the default GlassFish index page to do the redirect to www.domain.com/webapp1 using a meta refresh tag in the header. This winds up being the same as the first solution (the first JSESSIONID gets created with a path of "/webapp1" but a request to "/favicon.ico" will create another one with a path of "/").
So, my question is, is what I'm trying to do impossible, bad practice or ill-advised, i.e. having one domain, running many web apps, one of which is configured as the default web module, without having this JSESSIONID problem? Is there something obvious that I'm not seeing here? For now, I'm going with solution number 2 because we don't have other web apps running on the domain but I can't help but feel this is a hack. Will I really run into problems if another web app is deployed on the same domain?
Thanks for your advice.
[Message sent by forum member 'ylazzari' (yannick.lazzari_at_gmail.com)]
http://forums.java.net/jive/thread.jspa?messageID=362568