I am working on an app which have Frontend implemented in Angular 5 while the back end is in Spring Boot, I am using JWT tokens for authentication. Problem which i am unable to figure out is that When a user logs in I set userId in HttpSession on back end to use userId in later request by the same user.
session.setAttribute("userId", userData.getUsername());
If the same user make requests to back end's RestControllers with some interval like half a second, httpSession is returned correctly, if I make very quick requests httpSession starts returning NULL. I am making requests from Angular like this from various services.
getMyAccountList(){
return this.http.get('/api/account/getMyAccountList');
}
So i figured it out it was due Spring Security's Session Fixation behaviour, which is active by default. configuring HttpSecurity http in WebSecuirtyConfigurerAdapter can solve the problem. just need to add this configuration.
http.sessionManagement().sessionFixation().none();
also refer to this post : Apache Tomcat 7 Changing JSESSIONID on Every Request