What is empty session path in tomcat?

Question

I have read apache tomcat documentation a day before, and I am so confused about emptySessionPath . Up to my knowledge, if it\'s set to true, the emptySession

Answer 1

Session are, as you probably know, often maintained by a cookie. A cookie has two values that determines whether they should be returned by the browser for a certain request, cookieDomain and cookiePath. The cookiePath must match that of the request.

A request is made for

 /some/request/for/this.html

Cookie would be returned with cookie path:

 / 
 /some
 /some/request

But not for cookie path:

 /other

By spec, a session is not shared between different web applications, so if you have web application foo.war deployed under /foo, the session cookie path would, by default be set to /foo.

It seems Connector.emptySessionPath is a protected variable on Connector. I haven't read the code - but I guess it has something to do with Tomcat's single sign on or sharing sessions, where you login to one context and are authenticated in all - in which case the cookie path must be / for the session cookies.