1

I have two different applications, say A and . Both are using Spring Security with the same configuration. Here is my situation:

I log into my A application. Everything works fine. But when I log into my B application (it has the same IP but different PORT) in another tab in the same browser, I see these lines (below) and I am thrown away from A application, which means I am no longer authenticated in it.

DEBUG 2013-05-20 13:42:43,969 [http-8080-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain : /webapp/backoffice/index.jsp at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'

DEBUG 2013-05-20 13:42:43,969 [http-8080-2] org.springframework.security.web.context.HttpSessionSecurityContextRepository : No HttpSession currently exists

DEBUG 2013-05-20 13:42:43,969 [http-8080-2] org.springframework.security.web.context.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.

  1. I am using HttpSessionSecurityContextRepository as SecurityContextRepository.
  2. I have enabled SessionMigration for security purposes.
  3. I am using ConcurrentSessionFilter, to prevent someone being logged in via two or more devices.

But I am not getting why logging in my B application, removes the HttpSession from A application? (Or maybe some other things are happening)

I want to know whether these applications, share something in common within the browser.

As I am asked about their IP/PORT, you should know that their IPs are the same (both localhost) but they have different ports.
A) localhost:8080/dtts/backoffice
B) localhost:8081/dtts/backoffice
SOLVED
The problem was that for every URL/Path there will be a unique JSESSIONID. Both of my applications use URL:localhost and Path:dtts. That's why the second JSESSIONID replaces the first one.
Matin Kh
  • 5,192
  • 6
  • 53
  • 77
  • Are both the IP address *and* the port different for each application? I'd recommend using a tool like Fiddler to analyse the traffic going back and forward to each web application, especially the contents of the JSESSIONID cookies. – kevin847 May 20 '13 at 15:07
  • Please provide URLs of A and B – Maksym Demidas May 21 '13 at 08:18
  • Updated the answer. Their IPs are the same (both are `localhost`) but they have different ports (`A` uses 8080, and `B` uses 8081) – Matin Kh May 22 '13 at 05:15

1 Answers1

2

The cookie from application B is overwriting the cookie stored in the browser for application A, because both cookies are from the same server i.e. 'localhost', and both cookies have the name, i.e. 'JSESSIONID'.

Cookies are not port specific. This is discussed in this question: Are HTTP cookies port specific?

I believe your options are:

  • Use a different IP or server name to access each application (e.g. localhost and 127.0.0.1, or applicationA.mydomain.com and applicationB.mydomain.com)
  • Use a different name for the session cookie in the container that each application is running in
Community
  • 1
  • 1
kevin847
  • 1,058
  • 1
  • 7
  • 15
  • That sounds logical! How can I have different session cookie names for these applications? – Matin Kh May 25 '13 at 07:33
  • If using tomcat 7, its the sessionCookieName attribute in Context.XML. see docs here: http://tomcat.apache.org/migration-7.html#Session_manager_configuration – kevin847 May 25 '13 at 16:15
  • I have read the document, and it says it is not a good idea to change the 'JSESSIONID` name to anything else, as the Servlet uses this name by default. – Matin Kh May 28 '13 at 10:16
  • Yeah, the first option is certainly the nicer way to go about fixing this, if it's possible in your deployment model. – kevin847 May 28 '13 at 10:56
  • It turned out to be path-specific, and not related to port. So there will be a unique `JSESSIONID` for every `URL/Path`. My problem was that two applications used the same `Path` as well. – Matin Kh May 28 '13 at 12:14
  • Cool, thanks for update. I can't recommend Fiddler enough for this kind of problem btw. Cheers. – kevin847 May 28 '13 at 12:21