Cookie Management JSESSIONID from EAP 6.4.5 to EAP 7.1.2

Posted on


We product have migrated from 6.4.5 GA to EAP 7.1.2.

The product allows third party applications to integrated using the internal browser.

Below steps happen during integration.

  1. product calls the URL of the third party
  2. cookie JSESSIONID get set in the response header
  3. product make sure to send the same cookie header with all subsequent requests.
  4. third party apps have there owned login page. so point 3 is important.

It all works fine in 6.4.5 GA (both product and third-party app)
the first request to third-party page creates the first session and it is maintained till it expires and once expired login page comes, a user logs in and continues. (though in Fiddler it shows JSESSIONID cookie twice one for original session-id and one for new session-id)
But third-party app receives both and works fine as new exist in cookies.

now when we move to 7.1.2 (both product and third-party). Integration works once for the first request but after session expire it doesn't
reason being third-party app does not receive both JSESSIOINID cookie anymore but fiddler still shows both coming as a request.

if I deploy the product on 7.1.2 and third-party app on TOmcat or JBOSS 6.4.0, it again starts to work. the third-party app starts receiving both JSESSIONID cookie.

so the issue is only if both exist on 7.1.2.

I know something called undertow is introduced in EAP 7 above not sure what is causing this in JBOSS.

third-party log in 7.1.2

Cookie Value: Jc7p6mtcedLZSoeUyPheTORGy1YEHQOABHvddiF6.:
Cookie Name: ai_user
Cookie Value: NUWYk|2020-01-07T16:27:14.500Z

Fiddler for the same request
POST ----
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /
Referer: ----
Accept-Language: en-IN,en-US;q=0.7,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 69
Host: ----
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID="Jc7p6mtcedLZSoeUyPheTORGy1YEHQOABHvddiF6.:"; JSESSIONID="ThRzvDf0tabEhNMQItlV8OisQwOUAE-TSxE-z13-.:"; ai_user=NUWYk|2020-01-07T16:27:14.500Z

: gets added only in 7.1.2

Now if product(6.4.5 or 7.1.2 and third-party on tomcat or 6.4.0 jboss)
Cookie Value: jtx6Ue4Ekj29tKQZqWwZGEiy
Cookie Value: 8DCqtP3ZGlvDuTuKMg4As-mp


POST ---
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Referer: ---
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/7.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 69
Host: ----
Pragma: no-cache
Cookie: JSESSIONID=jtx6Ue4Ekj29tKQZqWwZGEiy; JSESSIONID=8DCqtP3ZGlvDuTuKMg4As-mp