4

I am developing a single page web application. I have included a java filter to intercept the html page request. So in this filter I am creating a session using request.getSession(). And then I am setting the JSESSIONID cookie explicitly as I have to set the HttpOnly flag in the response header Set-Cookie to prevent the XSS attack through document.cookie on client side.

Now after login I need the session, so I am accessing the session using request.getSession(). And according to the HttpServletRequest javadoc HttpServletRequest javadoc

request.getSession() returns the current session associated with this request, or if the request does not have a session, creates one.

But I am getting a different session after login.

tiger
  • 653
  • 7
  • 18
  • Define "different" session? A different instance than you expect or...? – nablex Feb 27 '14 at 13:26
  • @user1109519 A different session id is getting created and hence a different `JSESSIONID` cookie is sent to the browser than the previous one. – tiger Feb 27 '14 at 13:37
  • Are you setting the `JSESSIONID` every time in the filter? Show some code of the filter. – Subir Kumar Sao Mar 13 '14 at 07:59
  • Have you tried making that change at the container level (e.g. Tomcat) instead of changing the headers yourself? See http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps. – Nuno Guerreiro Apr 17 '14 at 12:35

1 Answers1

1

I will retrun same session if your requesting the application with same browser, if in case if your requesting from another browser it will return new session.

Kalepu Harish
  • 11
  • 2