Session is lost and created as new in every servlet request

Question

I have this big issue. My current session is gone every time I made a new request to Server.

I have checked in a lot of places. I can\'t find what\'s the problem. I

Answer 1

I experienced a stale https session cookie (my ad-hoc term) problem, due to a secure flag.

I had this problem when switching between http and https. The cookie stored by https session was never overwritten by http session. It remained in FireFox memory for eternity. It was visible in FireFox Tools / Options / Privacy / Delete single cookies where in Send for field it was Only for secure connections. Clearing this single cookie or all cookies is a workaround.

I was debugging the problem with wget, and I noticed such a header:

Set-Cookie: JSESSIONID=547ddffae0e5c0e2d1d3ef21906f; Path=/myapp; Secure; HttpOnly

The word secure appears only in https connections and creates this stale cookie. It's a SecureFlag (see OWASP). There are ways to disable this flag on server side, which seems like a permanent solution, but maybe not safe.

Or is it a browser bug, that the cookie is not overwritten?