0

I am running a Spring application on Websphere Liberty Profile 16.0.0.2. After successful login, I see the JSESSIONID cookie in the request header as J1. I invalidate the session and create a new one. Now, the next request is containing the same JSESSIONID cookie value, i.e. J1, instead of something new as expected after a session invalidation.

After some research, I tried the following Session Management settings via the server.xml.

<httpSession idLength="28" invalidateOnUnauthorizedSessionRequestException="true" cookieSecure="true" useInvalidatedId="false"></httpSession>

Still, the behaviour remains same.

Interestingly, when I deploy the same web application on Tomcat 8, I see different JSESSIONID cookie values as expected. Something is more stubborn with WLP. Please suggest.

Pankaj Dwivedi
  • 379
  • 1
  • 6
  • 16

3 Answers3

0

JSESSIONID cookie can be specified by the client. If this wasn't intended, it may due to cookie preserved or cached from the browser. Try clear the cookie from the client side.

Request.getRequestedSessionId() should able to verify it:

https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpServletRequest.html#getRequestedSessionId%28%29

Allan Zhang
  • 11
  • 1
0

I tried to look for JSESSIONID behavior for a web application running on WebSphere Liberty server involving Form Login and Logout.

1) When login page was displayed, JSESSIONID cookie existed, let's say with ID of J1. After logging in with valid user/password, JSESSIONID remain J1 as expected.

2) Then I did form logout (ibm_security_logout) which is implemented as mentioned in the following doc. After logout, I saw that JSESSIONSID value is changed to J2. So I did see JSESSIONID being invalidated and new one created.

https://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_pofolo.html

The only difference, I see between our scenarios could be how we are invalidating the session. Can you login as a different user next time? If the session did not get invalidated then login in as different user (e.g. user2) will cause exception as the session will still be owned by previous user (e.g. user1).

M. Tamboli
  • 386
  • 1
  • 6
  • Thanks for sharing that link. However, it is confusing as it explains that you need form-logout to log out (optional). But what if you dont have a specific form to logout? Like in the case you have nav-bar and an "Log out" button. In that case, there is no form to logout, so no way to specify *ibm_security_logout* FORM ACTION. Does ```session.invalidate()``` suffice to logout user as per description in the article? – pixel Apr 11 '23 at 18:36
0

Try setting idReuse to false in httpSession.

bigfoot
  • 123
  • 1
  • 6