Can not read JSESSIONID cookie after setting cookie-config to httpOnly and secure in web.xml

Question

I have added the following configuration in my webapp application web.xml

  <session-config>
    <cookie-config>
      <path>/</path>
      <http-only>true</http-only>
      <secure>true</secure>
    </cookie-config>
 </session-config>  

When I start my application, I send an http request to set this cookie and I can see it in the http response with path /, Secure and httpOnly.

However, I can't see this cookie being sent inside the following http requests and hence, if I do request.getSession().getId() for the following requests, I get an empty string.

I tried adding the following to my tomcat 8.5 context and also the WAR context

<Context sessionCookiePath="/">

but it did not fix the issue.

Does that mean that the JSESSIONID cookie is not being secure and hence ignored to be sent within the requests?

Answer 1

As per your comment you are setting the session cookie secure attribute to true, using a http connection for transport.

While the http protocol in use does not guarantee confidential transport, you correctly indicate that the session is sensitive information by activating the secure attribute. Therefore the browser denies to send this information back to the server via unsecure plain text http transport.

Read this Q/A for additional details: How does cookie “Secure” flag work?

As the JSESSIONID is never sent back to the server, each request will end up creating a new session which is never used for subsequent requests.

The solution is to either disable the secure attribute, or prefarably configure and use a https connector in tomcat.

You should also configure your app to accept https connections only and redirect http to https.