javacookiestomcat8

Browser not sending cookies back for 302 redirect response


I am upgrading my Tomcat from version 7 to Tomcat 8.5. Authentication flow for my application is : Initial request is redirected to okta, which sends authentication token. I set the token in cookies on root (/) path and send a redirect response, so that next time when request come, it will have valid authentication token and will be authenticated successfully. Everything was working fine on Tomcat 7. After upgrading to Tomcat 8.5, this flow stopped working. Reason is that now redirect request is blocking the cookies containing the authentication token. On debugging I found that now cookies are not set on the root(/) path but they are now set on the logging request path (/app/api/). One more difference which I found while comparision between cookies in browser is that: In Tomcat 7 cookies are showing with path (/) on browser developer tool while in case of Tomcat 8, it is showing as ("/"). I guess that browser is not able to understand the path in the response. I have tried changing context under conf/context.xmt with attribute sessionCookiePath="/" and changing cookie processor to LegacyCookieProcessor but nothing is working. Any help will be appreciated


Solution

  • Finally I was able to find the root cause and below are my findings: Quoted path "/" means browser is not able to understand the cookie path send the server. In my case this could be happening due to outdated jersey version used in the project. I fixed this issue by setting the cookie in response header as Set-Cookie and not using jersey cookie methods to set cookie.