Why does spring security log out the user?

Question

I can start 2 projects with jetty on different port numbers over HTTP with jsp, servlet and a common data storage (hibernate). One of the projects is "public" web (port 8080) and the other project is "admin web" (port 8899) where the admin web uses spring security for login / logout. But when I make an insert from public web (port 8080) which doesn't use spring security, the session with spring security with port 8899 gets broken and I get logged out and must log in again to see the update from the public web on port 8080. The 2 projects have the same context ("/foo") in the maven jetty plugin configuration but on different ports so the behavior is somewhat unexpected. If I use 2 different context eg /foo on port 8080 and /zar on port 8899 then the spring security session persists. Is there some reason for why the configuration can't have identical context for different ports or something else that is an explanation for why a user gets logged out after a database insert at another port number with another project?

Answer 1

Is there some reason for why the configuration can't have identical context for different ports

Yes. The cookie standard says that services on different ports count as the same origin. This is unfortunate as it differs from the JavaScript Same Origin Policy and it's almost never what you want, but we are stuck with it now.

So if you set a JSESSIONID cookie on a port 8080 service, it will override any previous JSESSIONID cookie set by a port 8999 service. When you go back to the 8999 service, the cookie generated by the 8080 service is unknown, so you're not recognised as logged in.

Workarounds include:

1. using different paths;
2. overriding the default session ID cookie name so that each app has a different cookie ( <session-config><cookie-config><name> );
3. manually sharing sessions between apps (with eg crossContext="true" in Tomcat).

I'd suggest (2).