EN
Tomcat - spring does not create JSESSIONID with http when https was used before
10 points
In this article we want to show how to create new session for http protocol when web browser blocks Set-Cookie with JSESSIONID after https was used.
Google Chrome error:
xxxxxxxxxx1
This Set-Cookie was blocked because it was not sent over a secure connection and would have overwritten a cookie with the Secure attribute.When https protocol is in use, Tomcat creates JSESSIONID cookie with Secure property that makes imposible to create JSESSIONID again with http protocol.
Issue screenshot:
Response header for http with Secure property:
xxxxxxxxxx1
Set-Cookie: JSESSIONID=494B7D14488AF5713852C4D21A042A622C49639F9E3BDB929177F43628689574FDC9F68901A2BEBECA9D792F4F3DF97701FA; Path=/; Secure; HttpOnlySimple Steps:
- open
https://localhost, - go to Application tab in Google Chrome DevTools,
- remove
JSESSIONIDcookie - do not refresh web browser, - go to
http://localhost- it will createJSESSIONIDwithoutSecureproperty, - now you can use Tomcat sessions with
httpagain.
- do not mix
httpwithhttps, - it is good to add redirection to
httpsif it is possible.
