Reputation: 463
JSESSIONID is reused by Websphere Liberty Profile after session invalidation
I am running a Spring application on Websphere Liberty Profile 16.0.0.2. After successful login, I see the JSESSIONID cookie in the request header as J1. I invalidate the session and create a new one. Now, the next request is containing the same JSESSIONID cookie value, i.e. J1, instead of something new as expected after a session invalidation.
After some research, I tried the following Session Management settings via the server.xml.
<httpSession idLength="28" invalidateOnUnauthorizedSessionRequestException="true" cookieSecure="true" useInvalidatedId="false"></httpSession>
Still, the behaviour remains same.
Interestingly, when I deploy the same web application on Tomcat 8, I see different JSESSIONID cookie values as expected. Something is more stubborn with WLP. Please suggest.
Upvotes: 0
Views: 3345
Answers (3)
Reputation: 386
I tried to look for JSESSIONID behavior for a web application running on WebSphere Liberty server involving Form Login and Logout.
1) When login page was displayed, JSESSIONID cookie existed, let's say with ID of J1. After logging in with valid user/password, JSESSIONID remain J1 as expected.
2) Then I did form logout (ibm_security_logout) which is implemented as mentioned in the following doc. After logout, I saw that JSESSIONSID value is changed to J2. So I did see JSESSIONID being invalidated and new one created.
The only difference, I see between our scenarios could be how we are invalidating the session. Can you login as a different user next time? If the session did not get invalidated then login in as different user (e.g. user2) will cause exception as the session will still be owned by previous user (e.g. user1).
Upvotes: 0
Reputation: 21
JSESSIONID cookie can be specified by the client. If this wasn't intended, it may due to cookie preserved or cached from the browser. Try clear the cookie from the client side.
Request.getRequestedSessionId() should able to verify it:
Upvotes: 0
Related Questions
- JSESSIONID changes without any request
- Retain Liberty sessions during Bluemix Active Deploy
- How to change length of generated JSESSIONID with Liberty?
- jsessionid is saved and used even after reboot\re-installation of the service
- Apache Tomcat 7 Changing JSESSIONID on Every Request
- Spring Security invalidates JSESSIONID when opening a new window
- Creating a new JSESSIONID after authentication
- Value of JSESSIONID is not changed on invalidating session
- JSESSIONID is getting recreated automatically after successful login
- JSessionID not changing after user logs out - Is this a security issue?