Resolution: Not A Bug
Affects Version/s: 2.1.18
Fix Version/s: None
Environment:OS: Linux / Windows
Container: Tomcat 8.0.X
JDK: Oracle JDK 1.8.0_X
I'm one of those who often gets unexplainable ViewExpiredExceptions. Now, I analysed them with a minimal "helloworld" test project. I called the webapp "jsf_test". The Exceptions occurred when I displayed a form in the browser and clicked it within a few seconds.
In the web console of firefox, I could see that the session cookie was set with the path /jsf%5ftest, while the other cookies (e.g. oam.Flash.RENDERMAP.TOKEN) were set with the path /jsf_test. It looks like firefox does not send the session cookie with the next request, while chromium ignores the difference. You can see in the tomcat manager webapp that the session count increases when you reload the page.
I also noticed that the issue does not occur on every deployment / tomcat restart. It looks like the webapp name is stored internally during initialization, and depending on little timing variations (race condition ?), it is either initialized to the escaped or the unescaped value. Tomcat manager always displays the unescaped name.
Among my collegues, some are always affected, some occasionally, and some never.
After renaming the webapp to "jsftest", the Exceptions and session count increments were gone.
The issue also occurs with a minus in the name, like "jsf-test".
Unfortunately, my real-life productive project has an underscore in it's name too, but as many users have bookmarked it, I can't just rename it.