Reputation: 13685
Are request JSESSIONID and response JSESSIONID supposed to be different?
I see that JSESSIONID in the request header and the response header of an HTTP request is different. Is it a common scenario or an exception?
Upvotes: 2
Views: 692
Answers (1)
Reputation: 49462
This is normal, but I wouldn't say common. It depends on what you are doing during that request / response exchange.
Invalidating any existing Session on login / logout is a common technique.
Using Session invalidate to invalidate an existing session is common.
Using HttpServletRequest.changeSessionId() during a change in login is also common, and a recommended technique by the security experts out there too.
But none of those happen on all requests, and shouldn't be the norm for the majority of your request.
In short, it's normal / common for certain types of requests (credential change, login, authentication, authorization, etc), but rare to unheard of for other types of requests.
Upvotes: 3
Related Questions
- Understanding JSessionId across multiple domains
- jsessionid ignored
- Apache Tomcat 7 Changing JSESSIONID on Every Request
- Java Servlet - Different JSESSION ID when servlet are securise. Why?
- JSESSIONID is getting recreated automatically after successful login
- Two applications on the same server use the same JSESSIONID
- Where is JSESSIONID stored? (JavaEE)
- How do sevlet containers manage made up jsessionid(s)?
- Is jSessionId really unique?
- Encoding used for JSESSIONID?