How to prevent JSESSIONID from being created if using DefaultCookieSerializer of spring 5.X with Tomcat 8
Question
I am migrating to spring 5.X and configured DefaultCookieSerializer with cookieName "CUSTSESSION" for a domain called colombiaonline.com. This session is stored in redis using RedisHttpSessionConfiguration . springSecurityFilterChain is defined after springSessionRepositoryFilter in application context of spring. Application is deployed on Tomcat 8. ( context.xml sessionCookieDomain is set as "colombiaonline.com")
URL for application is dev.colombiaonline.com.
Now my issue is -- Two cookies are created
- CUSTSESSION is created with domain colombiaonline.com as configured.
- JSESSIONID is created for domain dev.colombiaonline.com which is not expected.
How to stop JSESSIONID from being created as it is causing problem?
1 answers
solution1
0 2019-07-18 07:42:10
I am able to fix the issue. It was only browser cache that was causing this issue. Configuration was correct and once I opened my site on incognito it worked for me.
However there is one more thing that we need to take care of is "sameSite" attribute. Default value for it is "Lax" which is different from "None". If you hop between sites and want session to be managed properly, configure sameSite properly as in my case earlier it was none but after migrating to 5.x it was set to "Lax" which was causing problem. Refer https://security.stackexchange.com/questions/168365/is-setting-same-site-attribute-of-a-cookie-to-lax-the-same-as-not-setting-the-sa
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.