2

Has anybody faced an issue where cookie JSESSIONID is not present when reaches filters. The cookie is not present and Spring Security considers this request as from anonymous user and sends a redirect to the login page. The request comes from 3rd party integration to an application. This is reproducible not in 100% cases but rather 50/50.

Moreover, if intercept the request via Postman Interceptor then the cookie is present, but when it comes to filters then apparently the cookie is not present anymore. It works fine in Safari and Firefox.

Chrome version: 80.0.3987.149 Tomcat: 8.5.32

Eugene
  • 49
  • 1
  • 3
  • This may be caused by the same issue reported here https://stackoverflow.com/a/60850921/11430047 – Eleftheria Stein-Kousathana Apr 02 '20 at 18:40
  • thanks for your answer @EleftheriaStein-Kousathana, yes indeed it could be related, but why it's not reproduced each time? Sometimes chrome accepts the cookie and sometimes rejects – Eugene Apr 03 '20 at 07:50
  • One possible reason is that this is not rolled out for all users yet. From https://www.chromium.org/updates/same-site "The controlled rollout is to a limited initial population, and the proportion of users receiving the new behavior will be gradually increased until it reaches 100%" – Eleftheria Stein-Kousathana Apr 03 '20 at 13:09
  • Another possible reason is this exception that they make: "Note: Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago" from https://chromestatus.com/feature/5088147346030592 – Eleftheria Stein-Kousathana Apr 03 '20 at 13:10

0 Answers0