CODEWITHSUNDEEP
javasession-cookiesweblogic12c
horus
horus

Reputation: 115

How session works with Weblogic 12 c - Closing browser seems to invalidate the session or the cookie

In our weblogic java ee application the <cookie-max-age-secs> param is set to -1 (not expire)

The weblogic <timeout-sec> param is set to 1800 sec (30 mins)

  1. The user logs in and then closes the browser (X close).

  2. The user reopen the browser (after a few secs) and and clicks on the previous address.

Expected behavior: The browser sends the cookie (which is not expired) and Weblogic recognizes the cookie ID, which is still associated with a session and lets the user automatically log in in the application.

Actual behavior: The user is prompted with the login screen and has to re-login.

It seems like the browser invalidates the cookie during the browser (X close) and doesn't send it to the application.

Note: Clear browser cache on browser close is NOT checked. Also we don't destroy the session on browser close (nothing fancy like that)

How is this possible? I'm I missing something here?

To make things even more harder: If you are in developer mode (F12) and you're capturing the requests (Network tab) when you close (x close) and reopen You are automatically logged in.

Same exact test but different behavior. How can it be?

Thanks in advance.

Upvotes: 1

Views: 2431

Answers (1)

Alboz
Alboz

Reputation: 1851

Browser close deletes the JSESSIONID cookie.

The actual behaviour is the desired/expected one. This is because JSESSION ID is deleted by the browser on browser close.

So when you reopen the browser and send a request to your application the browser is NOT sending any cookie ( NO JSESSIONID) to the web application. Thus you are prompted with the login screen.

Note: The session object is still in memory, but there is no way to access it at this point. Some time after the timeout will be reached (30 min is your case) a low priority thread will remove the session object.

Now let's consider the bizarre case (Developer tools opened):

My bet is that your developer tools windows is open in a new window and this window is not closed when you close the browser. This is preventing the deletion of the JSESSIOID.

Thus, in this case your browser sends the JSESSIOID cookie in the request header and since we said before that your session object is still in memory, weblogic accepts it.

Upvotes: 1

Related Questions