Search code examples
javacookiessession-cookiesjsessionidhttpcookie

JSessionID changes on resource request after login which invalidates the session

I have a Spring-AngularJS application. The primary issue is that I get logged out immediately after getting logged in. This issue happens only on few Firefox versions (35.0.1 for example)

After investigating a bit into the issue, I figured out the following:

  1. First call to Spring security after login provides us the response cookie

GET /login

Request Cookie: BBBBBB

Response cookie: AAAAAA

Since the /login is a redirect (302) to the home page, below is the first request after login

  1. GET /#/

Request cookie: AAAAAA

  1. Next, a few request for resources are requested (e.g. css, etc)

GET /resources/abc.min.css

Request cookie: CCCCCC

GET /resources/pqr.min.css

Request cookie: CCCCCC

As you can see above, the request cookie is updated (I have no idea where is it coming from).

  1. After this, we request the Spring API to fetch user information Spring immediately rejects this cause it thinks the session is invalid.

To provide more information on our server architecture, we have our application WAR in Tomcat 7 which is behind Apache server. A load balancer is on top of the apache server performing the load balancing.

Could someone shed some light on this? Any help would be great!

Thank You!

Solution

  • One thing that may be causing this is if you have mixed secure/non-secure content. Your http requests will have a different session cookie than your https requests.