Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Duplicate valid session cookies?
Well, a proper client shouldn't be sending more than one cookie of the same name for the same path and domain. If jetty receives multiple session cookies, we look through them all (because we've had previous reports of badly configured clients and apps) to find the one that is valid. If we find more than one valid cookie, we don't know which one to use, so we log it as an error. 

On Tue, 5 Apr 2022 at 11:16, John English <john.foreign@xxxxxxxxx> wrote:
On 05/04/2022 01:08, Jan Bartel wrote:
> Somehow your client is sending 2 session cookies. Maybe you have have a
> couple of different overlapping cookie paths configured on the server?

No, it just looks like someone has been playing with openssl or the
like. There are a series of HEAD and OPTIONS commands from a (known,
internal) IP address. There was no login attempt, so perhaps whoever did
it is trying a replay attack using session cookies from an earlier
session. The only annoyance is it shows up as an unhandled exception, so
I get emailed automatically.

--
John English

--
This email has been checked for viruses by AVG.
https://www.avg.com

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD

Back to the top