2

I have two spring boot applications.

  • module1 running on port 8080
  • module2 running on port 9090

I have set the ports using this property in application.properties file

server.port=${port:9090}

Both modules have /login, /signup which are accessible without authentication accomplished via the code below.

http.authorizeRequests()
            .antMatchers("/signup", "/login").permitAll()

Any other request requires that the user be authenticated.

If i use one module at a time there is no problem,

But if try to use them back and forth at the same time then the problem is that i have to login again to the previous app every time i use the other one. Eg.

  1. Goto Login page to module1 - (Header response has set jsessionid=XX) ok
  2. Login to module1 - ok
  3. Browse secured content on module1 - ok
  4. Goto Sign Up page on module2 - (Header response has set jsessionid=YY) ok
  5. Try to browse to another secured content on module1 - I have to login again

I'm quite sure it's due to the jessionid being reset by module2.

Are HTTP cookies port specific? I have read this article which states that cookies are not port specific.

But there must be a solution so that i don't have to login everytime i switch apps.

Community
  • 1
  • 1
nissim_dev
  • 323
  • 2
  • 14
  • 1
    Map your applications to different context paths, so the JSESSIONID cookies will be independent; otherwise, the cookie is for the same context, so there is effectively one cookie for both applications. Another solution would be to use different hosts. – Roman Puchkovskiy Apr 22 '17 at 18:29
  • @dur it's localhost:8080/ and localhost:9090/ – nissim_dev Apr 23 '17 at 13:35
  • @RomanPuchkovskiy does using different contextpaths really solve the problem? because in the link that i posted, it says that cookies are specified on a domain level(i.e localhost) – nissim_dev Apr 23 '17 at 13:35
  • 1
    A cookie is bound to host+context path pair, so if context pairs are different (and each application sets cookie path correctly), those will be two different independent cookies, even if host is the same. – Roman Puchkovskiy Apr 23 '17 at 13:37
  • @Roman I have marked Stefan's answer as the correct one as it solves the problem. Doesn't it mean that localhost:8080 and localhost:9090 are are two different hosts? creating two different context paths? – nissim_dev Apr 23 '17 at 13:56

2 Answers2

8

You need to use different cookie names for the two applications.

There are different ways to do these, the most simple one, for a spring-boot application with version >=1.3 is just setting a property :

server.session.cookie.name = MYSESSIONID

Other ways are described in this post .

Community
  • 1
  • 1
Stefan Isele - prefabware.com
  • 8,905
  • 4
  • 28
  • 31
2

Map your applications to different context paths, so the JSESSIONID cookies will be independent; otherwise, the cookie is for the same context, so there is effectively one cookie for both applications. Another solution would be to use different hosts.

Please note that you don't only change context path of the cookie here: if you change context path of your application, Servlet API implementation will handle cookie context path change for you.

I've experimented a bit with same host and different context paths.

I'm currently having two applications launched, both have Servlet API as their base (and JSESSIONID cookie is defined by Servlet API's session mechanics). The applications both run on localhost, on different ports, and with different contexts (/app1 and /app2). I've logged into both applications, and in Chrome's dialog which lists cookies I can see two JSESSIONID cookies: one for localhost and /app1 and another for localhost and /app2.

Then I logout in /app2. Its JSESSIONID is destroyed and recreated with different content (because I've been redirected to the login page again). (Please note that to see that change I had to close Cookies dialog and reopen it as Chrome did not update it on the fly). At the same time, JSESSIONID cookie which belongs to /app1 is intact, and I can proceed working in /app1 (so I was not logged out from it).

UPDATE

One more experiment. I've mapped both appilcation at the same context (/app1). They run on localhost:8084 and localhost:8085. I do the following:

  1. I log into the first application (port 8084)
  2. I log into the second application (port 8085)
  3. I switch back to the first application tab, click any link and see that the session is destroyed (as I am being redirected to login page).

So even if applications run on different ports of the same host with the same context path, they use the same cookie. Basically, this is what was said in Are HTTP cookies port specific? : Cookies do not provide isolation by port

A little summary:

  1. Different hosts: no problem, cookies are different
  2. Different application contexts: no problem, cookies are different
  3. Same host, same application context, different ports: there is only one cookie, and this causes a conflict.

So the recipe is the same as before:

  1. Either use different hosts (that is host names, not including port)
  2. Or use different context paths
  3. Or (as another answer suggests) change cookie name to avoid the conflict
Community
  • 1
  • 1
Roman Puchkovskiy
  • 11,415
  • 5
  • 36
  • 72