0

I'm using Spring Security in my web app. As far as I know, the JSESSIONID cookie is used for authentication.

It's clear to me that the cookie should exist after successful authentication but what's the point of this cookie before authentication takes place?

I'm using default spring boot with spring security configuration.

When I go to default /login URL the cookie already exists

enter image description here

I tried to debug the authentication process by creating a breakpoint in UsernamePasswordAuthenticationFilter. After I enter my username and the password, I'm successfully authenticated using the same cookie (sessionId) in details of the UsernameAuthenticationToken

enter image description here

However, when I'm finally authenticated the cookie gets replaced by another one like so:

enter image description here

From now on, the cookie in response is used inside the application.

My question is how (regarding cookie generation) where and why this cookie set before the user is authenticated? In addition, is the "pre-JSESSIONID" cookie somehow used to create "real" JSESSIONID?

Joe D
  • 44
  • 1
  • 10
  • If the linked duplicate doesn't answer your question, please ping me here, and i'll retract my close vote and reopen the question. – dunni Feb 14 '22 at 17:51
  • One of the use cases in Spring Security is to save the request in the session to be able to redirect after successful authentication. If you request `/protected` unauthenticated, for example, this request gets saved and you are redirected to the `/login` page. After you provide valid credentials, Spring Security looks for this saved request and redirects you to that path. Take a look at `ExceptionTranslationFilter#sendStartAuthentication`. – Marcus Hert da Coregio Feb 14 '22 at 19:06

0 Answers0