JSESSIONID changes without any request

Question

I'm using Spring boot. And it occurs in https protocol.

When I access to the website, the JSESSION cookie is created.

After page loaded, when I refresh the Developer tools > Application > Cookies the JSESSION cookie is changed to something else without any request or redirection.

It sometimes happen, but not always.

When I use chrome's secret mode or delete chrome browsing history, it doesn't happen.

I added SameSite=None; Secure; to JSESSION cookie, but it didn't work.

What do I have to do?

score 2 · Answer 1 · answered Sep 19 '22 at 07:15

2

Spring Security changes the session id, before you are authenticated, to another session id, after you are authenticated. That's done to prevent the "session fixation attack"

answered Sep 19 '22 at 07:15

Manuel

3,828
6
33
48

Can it cause difference between http localhost and https server? – Rurien Sep 19 '22 at 07:23
And if spring security changes JSESSIONID after login, it should always happen. But it happens randomly.. – Rurien Sep 19 '22 at 07:37
Show us your spring-security configuration, maybe we then can help you. Also include a minimum example to reproduce the problem. – Manuel Sep 19 '22 at 07:54
I think I don't have any spring-security related configuration – Rurien Sep 20 '22 at 00:53
Your answer were not my solution, but thank you for increasing my knowledge. – Rurien Sep 22 '22 at 07:57

score 0 · Answer 2 · answered Sep 22 '22 at 08:08

The problem were not in my Spring boot application.

The Nginx server had two different web application on same domain.

And their JSESSIONID cookie path were same ('/').

Other web application overwrote my web application's JSESSIONID cookie.

So I asked to change Nginx config(Probably it was proxy config).

JSESSIONID changes without any request

2 Answers2