When the request dispatcher is used to include a servlet from another web application, it appears that the included servlet (in the 2nd web application) get the same session as the 1st web application. As per the spec, web applications must not share session data. have attached a .zip file containing 2 .war files and the relevant server.xml entries for the 2 web applications. To reproduce the problem, unpack the .war files in the webapps directory, add the Context entries to server.xml and after starting the server, make a request to /web1/servlet/Servlet1. (web2.war has to be deployed at the context-root 'web2'. JDK1.4 was used to compile the classes) Servlet1 (in web application web1) gets a session and sets a 'count' attribute to the value 9. It then gets a request dispatcher to the web application web2 and then includes Servlet2 from web2. When Servlet2 retrieves the value of the count attribute from its session, it finds the value that was set by Servlet1. Trying 0.0.0.0... Connected to .. Escape character is '^]'. GET /web1/servlet/Servlet1 HTTP/1.0 HTTP/1.1 200 OK Connection: close Date: Wed, 17 Jul 2002 08:35:41 GMT Server: Apache Tomcat/4.0.4-dev (HTTP/1.1 Connector) Set-Cookie: JSESSIONID=B99CA58101240A23769268A84F196E1E;Path=/web1 included servlet's session count: 10 Connection closed by foreign host.
Created attachment 2377 [details] Web apps used to reproduce the problem described in the bug
*** This bug has been marked as a duplicate of 4690 ***