[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Duplicate valid session cookies?
|
Well, a proper client shouldn't be sending more than one cookie of the same name for the same path and domain. If jetty receives multiple session cookies, we look through them all (because we've had previous reports of badly configured clients and apps) to find the one that is valid. If we find more than one valid cookie, we don't know which one to use, so we log it as an error.
On 05/04/2022 01:08, Jan Bartel wrote:
> Somehow your client is sending 2 session cookies. Maybe you have have a
> couple of different overlapping cookie paths configured on the server?
No, it just looks like someone has been playing with openssl or the
like. There are a series of HEAD and OPTIONS commands from a (known,
internal) IP address. There was no login attempt, so perhaps whoever did
it is trying a replay attack using session cookies from an earlier
session. The only annoyance is it shows up as an unhandled exception, so
I get emailed automatically.
--
John English
--
This email has been checked for viruses by AVG.
https://www.avg.com
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
--