User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Session data from port 80 was sent to port 8080 (cookies, etc.) Reproducible: Always Steps to Reproduce: 1. I have a page that needs login (using cookies), it sits under port 80 2. Use the web browser (Firefox), I open the page and login 3. Not closing the FireFox, I start up a TCPMon (the one from Apache Axis) and listen to port 8080, and forward them to port 80 4. Use FireFox, I open the page again (http://localhost:8080). I was surprised that I was allowed to come in. So I reason, my cookies for port 80 must have been sent to port 8080. This is a bug unless something to do with the way I get the session. In servlet filter, I call: sess = request.getSession(true); which would generate the session key and store them in the cookies.
Cookies are agnostic about port, they use host and path (http://www.faqs.org/rfcs/rfc2109.html) The proposed "Cookie2" spec (http://www.faqs.org/rfcs/rfc2965.html) addressed this by adding an optional PORT list that would restrict a cookie to only that port or ports. In the absense of a port specifier cookies are still available to all ports for backward compatibility (but Cookie2 never really caught on).
> (but Cookie2 never really caught on). Opera supports it... (Authors won't use Cookie2 until it is widely implemented.)
*** This bug has been marked as a duplicate of 189784 ***