How is JSESSIONID passed? As a header parameter or as a cookie parameter?

Question

After a user is Authenticated, subsequent requests from the user need not be authenticated again. This is achieved using JSESSIONID.
But what I am not sure is, how is JSESSIONID passed? As a header field or as a cookie field. Or it is up to the application developer who can choose one or the other approach.

Can some one explain how this works when spring-security is used for authentication and authorization.

Answer 1

It will be send as

Cookie:JSESSIONID=SOMETHING; customCookie=SOMEOTHERTHIG

In header

Answer 2

JSESSIONID is a cookie defined by J2EE standard which is passed along with other cookies in the Cookie HTTP Header, whose value follows the format [cookie1]=[value1]; [cookie2]=[value2]; ...

Example:

Cookie: userLocale=en; userTimezone=Europe/Berlin; JSESSIONID=DCFE1E7FB2C6BFFDD5153B7C79B9CEED; _ga=GA1.1.1774863087.1561033937

Answer 3

JSESSIONID will be the same for the particular user unless and until the user session is destroyed. If you want to set the same session back to the user you can get JSESSIONID from the HttpServletRequest and set it to HttpServletResponse. This is what internally happens.

Every request is associated with the session and your application will be accessed by different user's with different sessions.

If by any condition your user's browser loose the JSESSIONID, but you want him to continue to your application, you have to set.

By default JSESSIONID stored in your cookies that is the reason when you clear your cookies you will be logged out from all your applications that you have logged in.