[WEB SECURITY] Duplicate jsessionid cookies in request

["Rami Mizrahi" <rami.mizrahi@xxxxxxxxx>]

Duplicate jsessionid cookies in request

Hi,

I would appreciate any help with this strange situation I encountered:
receiving duplicate jsessionid cookies with different values in a request.

I am monitoring traffic on a site and I see a request coming in with 2
jsessionid cookies with different values (step 9 below).
Scenario:
1. client sends a request with no cookies
2. Server sends set-cookie jsessionid=A
3. client uses the cookie, jsessionid=A on several requests
...
4. client send a request with no cookies
5. Server sends set-cookie jsessionid=B
6. client uses the cookie, jsessionid=B on several requests
...
7. client send a request with cookie, jsessionid=B
8. Server sends set-cookie jsessionid=C
9. client uses 2 cookies: jsessionid=A and jsessionid=C on several requests

How would the client remember the cookie A and use it all of a sudden ?

When saying client, I mean a certain IP. The requests are sent using
NetCache. Some of the client headers are:
X-Forwarded-For: <same client IP>
Via: 1.1 NetCache-DSL-MED-Stack2

The server is Apache/2.0.47, IBM_HTTP_Server.
The set-cookie headers are sent with Cache-Control:
no-cache="set-cookie,set-cookie2"

Thanks a lot,
Rami

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]