Tomcat - spring does not create JSESSIONID with http when https was used before

10 points
Created by:

In this article we want to show how to create new session for http protocol when web browser blocks Set-Cookie with JSESSIONID after https was used.

1. Problem description

Google Chrome error:

This Set-Cookie was blocked because it was not sent over a secure connection and would have overwritten a cookie with the Secure attribute.

When https protocol is in use, Tomcat creates JSESSIONID cookie with Secure property that makes imposible to create JSESSIONID again with http protocol.

Issue screenshot:

Google Chrome DevTools with blocked JSESSIONID for Tomcat
Google Chrome with blocked JSESSIONID on localhost - Tomcat / DevTools

Response header for http with Secure property:

Set-Cookie: JSESSIONID=494B7D14488AF5713852C4D21A042A622C49639F9E3BDB929177F43628689574FDC9F68901A2BEBECA9D792F4F3DF97701FA; Path=/; Secure; HttpOnly

2. Problem solution

Simple Steps:

  1. open https://localhost,
  2. go to Application tab in Google Chrome DevTools,
  3. remove JSESSIONID cookie - do not refresh web browser,
  4. go to http://localhost - it will create JSESSIONID without Secure property,
  5. now you can use Tomcat sessions with http again.

3. Advices

  • do not mix http with https,
  • it is good to add redirection to https if it is possible.
Hey ūüĎč
Would you like to know what we do?
  • Dirask is a friendly IT community for learners, professionals and hobbyists to share their knowledge and help each other in extraordinary easy way.
  • We welcome everyone,
    no matter what the experience,
    no matter how basic the question is,
    this community will help you.