Tomcat - spring does not create JSESSIONID with http when https was used before

10 points
Created by:

In this article we want to show how to create new session for http protocol when web browser blocks Set-Cookie with JSESSIONID after https was used.

1. Problem description

Google Chrome error:

This Set-Cookie was blocked because it was not sent over a secure connection and would have overwritten a cookie with the Secure attribute.

When https protocol is in use, Tomcat creates JSESSIONID cookie with Secure property that makes imposible to create JSESSIONID again with http protocol.

Issue screenshot:

Google Chrome DevTools with blocked JSESSIONID for Tomcat
Google Chrome with blocked JSESSIONID on localhost - Tomcat / DevTools

Response header for http with Secure property:

Set-Cookie: JSESSIONID=494B7D14488AF5713852C4D21A042A622C49639F9E3BDB929177F43628689574FDC9F68901A2BEBECA9D792F4F3DF97701FA; Path=/; Secure; HttpOnly

2. Problem solution

Simple Steps:

  1. open https://localhost,
  2. go to Application tab in Google Chrome DevTools,
  3. remove JSESSIONID cookie - do not refresh web browser,
  4. go to http://localhost - it will create JSESSIONID without Secure property,
  5. now you can use Tomcat sessions with http again.

3. Advices

  • do not mix http with https,
  • it is good to add redirection to https if it is possible.
Native Advertising
Get your tech brand or product in front of software developers.
For more information Contact us
Dirask - we help you to
solve coding problems.
Ask question.

‚̧ԳŹūüíĽ ūüôā