set samesite: none

answered 2022-03-11 14:52:57 +0800

MDuchemin
2480 ● 1 ● 6

Hi there,

Let's see this in details :)

JSESSIONID is a cookie generated by the web container (the Tomcat, jetty, wildfly, etc) server that hosts your application. It's created when a process on your server stores anything at session level. In the context of ZK, ZK will store values in your session, and thus will cause a JESSIONID cookie to be created at client-side.

JESSIONID cookies denote a session with the specific server that created it, and is used to track the session. When you make another request to the same server, the JSESSION ID cookie is sent with the request, and the server uses it to match this request with your existing session.

Now, if you navigate to a different website that also runs on a J2EE server, that other website may also use a session storage on their own website. That would cause another JSESSIONID cookie to be created under that website's domain.

With all that said, other servers shouldn't need to know your JESSIONID cookie. It is a private session identifier that only has meaning to the server that created it.

Now, lastly, regarding why JSESSIONID might change. JSESSIONID changes if your session is no longer valid. A session can be expired, can be invalidated by a process, or maybe the server has restarted an purged the session cache in between requests.

From your browser's developer tools, you can see the headers sent to the server. In the request headers, you will find the JSESSIONID under cookies.

If you send "nothing" to the server, you will get a new JSESSIONID. If you send a JSESSIONID and do not receive an updated cookie, then your session was still valid. if you send a JSESSIONID and receive a new cookie with a different value, then your session was not found, was expired, was timed out or was invalidated at server side.

Let me know if that helps :)