Session is lost and created as new in every servlet request
Solution 1
After years, I never posted the answer back here. At that time I was busy and forgot about this question. But, today I am looking for a solution in Stackoverflow as usual and saw this notification mentioning I am getting points from this Question. Seems like other developers are facing the same issue. So, I tried to recall how I solved the issue. And yes, I solved by manually put back the session id to track/maintain the session id.
Please see the code that I manually put back jsessionid inside the servlet.
HttpSession session = request.getSession();
if (request.getParameter("JSESSIONID") != null) {
Cookie userCookie = new Cookie("JSESSIONID", request.getParameter("JSESSIONID"));
response.addCookie(userCookie);
} else {
String sessionId = session.getId();
Cookie userCookie = new Cookie("JSESSIONID", sessionId);
response.addCookie(userCookie);
}
Solution 2
One possible cause for this is having a "naked" host name (i.e. one without a domain part). That's fairly common if you're working in an Intranet.
The problem is that almost all browsers cookies will not accept cookies for hostnames without a domain name. That's done in order to prevent evilsite.com from setting a Cookie for com (which would be bad, as it would be the ultimate tracking cookie).
So if you access your applicaton via http://examplehost/ it won't accept any cookie, while for http://examplehost.localdomain/ it will accept (and return) the cookie just fine.
The nasty thing about that is that the server can't distinguish between "the browser got the cookie and ignored it" and "the browser never got the cookie". So each single access will look like a completely new sesson to the server.
Solution 3
First check if the webapp's context.xml does not have cookies="false" configured.
Further it's good to know that cookies are domain, port and contextpath dependent. If the links in the page points to a different domain, port and/or contextpath as opposed to the current request URL (the one you see in the browser's address bar), then the cookie won't be passed through which will cause that the session cannot be identified anymore and thus you will get a new one from the servletcontainer.
If that is not the cause, then check if you aren't doing a redirect on every request using HttpServletResponse.sendRedirect() for some reason. If you do this already on the very first request, then the cookie will get lost. You'll need to replace
response.sendRedirect(url);
by
response.sendRedirect(response.encodeRedirectURL(url));
Solution 4
In Your properties
server.session.cookie.http-only=true
server.session.cookie.secure=true
Remove these settings, it will retain your session id cookie, which is being reset with every request.
Solution 5
I experienced a stale https session cookie (my ad-hoc term) problem, due to a secure flag.
I had this problem when switching between http and https. The cookie stored by https session was never overwritten by http session. It remained in FireFox memory for eternity. It was visible in FireFox Tools / Options / Privacy / Delete single cookies where in Send for field it was Only for secure connections. Clearing this single cookie or all cookies is a workaround.
I was debugging the problem with wget, and I noticed such a header:
Set-Cookie: JSESSIONID=547ddffae0e5c0e2d1d3ef21906f; Path=/myapp; Secure; HttpOnly
The word secure appears only in https connections and creates this stale cookie. It's a SecureFlag (see OWASP). There are ways to disable this flag on server side, which seems like a permanent solution, but maybe not safe.
Or is it a browser bug, that the cookie is not overwritten?
Related videos on Youtube
07 : 06
18 : 33
09 : 44
14 : 22
38 : 35
15 : 32
20 : 46
12 : 23
03 : 58
51 : 50
Min Soe
Updated on July 16, 2021Comments
-
Min Soe almost 3 years
I have this big issue. My current session is gone every time I made a new request to Server.
I have checked in a lot of places. I can't find what's the problem. I also have included session-config in web.xml both in tomcat and application. I also enabled to accept cookies to my browsers. Tested in every browser. It's not working.
I am just developing a simple java ee applcation using JSP/Servlet. I am facing the problem only after I have deployed to tomcat in server machine.
-
Julien Kronegg over 10 yearsSimial question: stackoverflow.com/q/13461838/698168
-
-
Min Soe over 14 yearsI already checked. Actually, it is working fine on my machine which is a development machine, but, in the server
-
Min Soe over 14 yearsBut, How? I used sessions in lot of projects. I have never faced this issuse. Can you please give me how to send it back to the browser? It's not only happening in Firefox, it's also happening in the other browsers.
-
user2649601 over 14 yearsIn that case there is apparently a difference in configuration between your dev server and your live server. Please add the web.xml snippets you modified to your question.
-
skaffman over 14 yearsI'm not saying that it's browser-related, but the plugin will allow you to see the cookie being passed back and forth (or not, as the case may be). It won't tell you why, but it may tell you what.
-
Min Soe over 14 yearsI got this when i POST Set-Cookie: JSESSIONID=D02AE9722D84B1E404C80125F5CD23BF; Path=/myapp and i got this after i've refresh my page. Set-Cookie: JSESSIONID=F23780E7F8085624EBF25F3EB3DFF45D; Path=/myapp
-
Min Soe over 14 yearsI already tested with the application even in the server using localhost. It is causing the same issuse. In this project, I am using Jersey REST service, JCaptcha and custom tag.
-
Min Soe over 14 yearsWhat is very strange is, I installed Glassfish on the server and deploy the application on the glassfish. Still the same problem... I am completely lost.
-
Juan Rada about 11 yearsI have changed my machine link name from IP to machinene.localdomain and my problem was solve!. Thank you -
dimplex about 7 yearsI had this issue with localhost and with Chrome only. Strangely, when restarted or with its settings just reset, the browser accepted cookies for localhost. However, after the first logout from application, it stopped doing this. The solution was using localhost.localdomain instead. Thank you!
-
s1m3n almost 6 yearsYes. This was driving me crazy. Thank you BalusC. -
Gurkha over 4 yearsthanks this helped, for those who do not have these on properties file, I have em on web.xml. -
DavidS over 4 yearsCan someone please explain why this works? It particular the instructions regarding
sendRedirect? You don't need to explain here if you don't have time, I will read the documentation if you point to it. -
BalusC over 4 years@DavidS: it adds session ID to URL so that server can identify the associated session by URL of the incoming request instead of the cookie. See also stackoverflow.com/q/1700390
-
Pravin Agrawal about 4 yearsresponse.sendRedirect(response.encodeRedirectURL(url)); worked for me also. Thank you BalusC. -
bernhof about 2 yearsOr use a persistent session store (e.g. Redis) so different nodes can see the session.
