I am migrating to spring 5.X and configured DefaultCookieSerializer
with cookieName "CUSTSESSION" for a domain called colombiaonline.com. This session is stored in redis using RedisHttpSessionConfiguration
. springSecurityFilterChain
is defined after springSessionRepositoryFilter
in application context of spring. Application is deployed on Tomcat 8. ( context.xml
sessionCookieDomain
is set as "colombiaonline.com")
URL for application is dev.colombiaonline.com.
Now my issue is -- Two cookies are created
How to stop JSESSIONID from being created as it is causing problem?
I am able to fix the issue. It was only browser cache that was causing this issue. Configuration was correct and once I opened my site on incognito it worked for me.
However there is one more thing that we need to take care of is "sameSite" attribute. Default value for it is "Lax" which is different from "None". If you hop between sites and want session to be managed properly, configure sameSite properly as in my case earlier it was none but after migrating to 5.x it was set to "Lax" which was causing problem. Refer https://security.stackexchange.com/questions/168365/is-setting-same-site-attribute-of-a-cookie-to-lax-the-same-as-not-setting-the-sa
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.