

我有一个运行在Apache Tomcat 7中并使用Struts2的Web应用程序.我的登录系统是通过在会话中放置一个User对象制成的:

I have a web application running in Apache Tomcat 7 and using Struts2.My login system is made by putting a User object in a session:


( bypassing "if" and "try" to be clear..)

UserService es = new UserService();
User user = es.login(username, password);
ActionContext.getContext().getSession().put("loggedUser", user);


And then, I try to get a User object from that session in a Interceptor. If ok, then someone is logged. If not, go to login page by returning "notLogged" that will be catch by Struts2 global-results in struts.xml :

public String intercept(ActionInvocation invocation) {
    User loggedUser = (User)invocation.getInvocationContext().getSession().get("loggedUser");
    if (loggedUser == null) {
        return "notLogged";
    try {
        return invocation.invoke();
    } catch ( Exception ignored ) {
        return "notLogged";



    <result name="notLogged">/index.jsp</result>


All was very well, until the server admin do some maintenance and the "jsessionid" starts to appear in URL. After this, I can't navigate my system anymore (until I copy and paste this ID in every URL I want to go. no way to form action destinations). I still be able to login and I see the User object still be catching, but I can't go to any destination without this ID.

我尝试了此操作: https://fralef.me/tomcat-disable-jsessionid-in-url.html ,然后在我的web.xml的 tracking-mode 标记中放入 COOKIE ,但是事情变得更糟了,因为现在我无法甚至登录.

I tried this: https://fralef.me/tomcat-disable-jsessionid-in-url.html, and put COOKIE in tracking-mode tag in my web.xml but the things goes worst because now I can't do even a login.


What was happened, what can I do to solve this and put my system back to work?



This is apparently caused by cookie path mismatch.


Browser will only send back the cookie if the request URL path matches the cookie path, e.g.

 cookie path :  /abc
request path:   /abc/xyz   // match
request path:   /xyz       // no match


By default, Tomcat set the session cookie path as the web app path, so that the cookie will not be sent to other web apps. However, in your case, the middleware changes the request URL path, therefore the browser observes a different path, causing cookie path mismatch.


In most cases, I'd recommend to set cookie path to "/", so that it matches all requests to the server (assuming there's only one app on Tomcat)

// context.xml
<Context sessionCookiePath="/">


08-04 13:05