I'm fairly sure that I've spotted a bug in either Tomcat or JBoss in the way cookies are handled.

My understanding of the directive in jboss-web.xml, <use-session-cookies>, was that it would enable or disable the use of cookies by the web container when tracking sessions.

ie. I would have expected that setting this to false would totally prevent cookies from being used (ie: "disable" them), and force the container to fall-back to URL rewriting.

Indeed, that's the way it generally seems to work for us.
However, I've found one circumstance where this setting appears to be ignored by the web container, and cookies are used when they shouldn't be.

If you take two webapps, one that uses allows cookies (app A), and one that disables them (app B), a problem can occur which results in A using cookies. If you run app B by itself, it won't use cookies, as expected. However, when you run app A followed by app B, app B will continue to use cookies, despite its descriptors explicitly disabling them.

It's a problem for us because in some circumstances we want to prevent the appserver from using cookies (to permit a user to access multiple instances of the same webapp from the same browser simualtaneous).

NB: I've also disabled cookies where appropriate in the context.xml file, but they still seem to get used by the second app, if the user has already accessed the first app which uses cookies on the same server.

It seems that the jboss-web directive isn't in fact disabling cookies when its set to false.

Any suggestions/workarounds/fixes would be appreciated!