When a user enters on the app, he receives a JSESSIONID, e.g., "12345678".The problem is that when this user leaves the app (calling session.invalidate()), the JSESSIONID value does not change, it remains "12345678", but the session values was reset. The JSESSIONID cookie (or URL suffix) is a name/value pair, whose name is "jsessionid" and whose value is a "random number".After that, when I perform a http Session.invalidate() the session is reset but JSESSIONID value does not change. I also tried to remove the JSESSIONID cookie manually, but it seems that Tomcat or Spring are not letting I change its value. I'd like to know if it's possible to change this behavior either on Spring or in Tomcat.
Autowired; import org.springframework.context.annotation. Configuration; import org.springframework.security.config.annotation.authentication.builders. Authentication Manager Builder; import org.springframework.security.config.builders. Http Security; import org.springframework.security.config.configuration. Enable Web Security; import org.springframework.security.config.configuration. Web Security Configurer Adapter; @Configuration @Enable Web Security public class Security Configuration extends Web Security Configurer Adapter Rest of application code is same as mentioned in every post in this series.This Post (and actually every post in this series) shows this logout in action.In the above image Concurrent Hash Map has lot of session id vs Standard Session object data.Can someone please explain me why this The issue is related to cookie path, and not with domain answered May 19 '14 at joaosavio 491 1 7 18 At last the reason is found, thank you!When you invoke session.invalidate() on the Http Session, it detaches the session from Tomcat's hashtable. I wouldn't expect the server to send further jsessionid cookies back to the client, although without checking, I don't know if the response to the request that destroyed the session also sends back cookie-destruction information, and if it doesn't that would leave the jsessionid cookie on the client, even though it was meaningless.
For a non-secure session, it's probably OK if a new session request would create a new session instance and bind it to the old session ID if the client continued to send down the original cookie. Tomcat keeps the session but changes the jsession ID when it shifts from http to https transport. When I call session.invalidate(), JSESSIONID cookie is removed or 2.
Application Dispatcher invoke SEVERE: Servlet.service() for servlet jsp threw exception
Illegal State Exception: Neither Binding Result nor plain target object for bean name 'user DTO' available as request attribute at org.servlet.support. Abstract Data Bound Form Element Bind Status(Abstract Data Bound Form Element Tag.java:179) at org.form.
I would love to hear your thoughts on these articles, it will help me improve further our learning process.
After that, when I perform a http Session.invalidate() the session is reset but JSESSIONID value does not change. I also tried to remove the JSESSIONID cookie manually, but it seems that Tomcat or Spring are not letting I change its value. I'd like to know if it's possible to change this behavior either on Spring or in Tomcat. If you change the cookie domain in a Tomcat Context, you would have to restart the entire web application.
This holds even if the session is invalidated and a new one created.