For .jspf pages in particular, this happens if you configured your web.xml with such a snippet: in order to enable scriptlets inside them. RE: Regarding JSESSIONIDSSO Cookie maintained by tomcat cases. A new JSESSIONID is created each time a user runs a servlet request I have attached two files showing these dumps - one after a restart (the failure case), and then again after disabling and reenabling the app (the success case). 2. (much to my surprise I get a JSESSIONIDSSO cookie when I log in via an Angular client, not sure what that is all about) JSESSIONID and JSESSIONIDSSO Technical Discussion hpiFebruary 18, 2022, 11:30am #1 Hi, When I use payara and use http sessions a JSESSIONID and/or JSESSIONIDSSO cookie is created which are sent back to re-acces the session. I managed to remove .node postfix by adding following lines to jetty-env.xml: Here is related source code of DefaultSessionIdManager, This is a jetty session id, you can read a little more about it here: Why did DOS-based Windows require HIMEM.SYS to boot? WASPostParam contains the parameters of the last HTTP POST request. is there such a thing as "right to be heard"? jsessionid is client side component(web), sessionid is server side component. Due to addition of worker name in JSESSIONID, in my application some header validation that happens outside of Jetty start failing. Any real-world example, please. All the applications' JSESSIONID can be reset when the session timeout (5min) or server restart (I checked the Firefox cookies manager), but the JSESSIONIDSSO value can't be reset, it keep the old cookie value, and when login into the server again, it failed caused by using a old cookie value, but the server have created a new session cookie. How is JSESSIONID determined in this CSRF test? What is this brick with a round back and a stud on the side used for? Does a password policy with a restriction of repeated characters increase security? Just how cookies/headers work. A new JSESSIONID is created each time a user runs a servlet request. The audit.log shows multiple logins within seconds for the same user. Note: I realize that since Firefox has a cookie for a valid session with the application, it can use that. Why are two CSRF tokens (hidden field and cookie) necessary to mitigate CSRF attacks? Maybe ctomc or swd847 would know more. 2. And then the next request from the browser to the server has that same sessionID, linking it to the already established session: Correct me if I misunderstood the question.But here's what I have understood. As a result, there is a disconnect between the session cookie name used by Tomcat for stickiness and the actual session cookie name being generated. Share Session ID across Different Requests in Postman - TOOLSQA This worked in release 8.1.05 of WebFOCUS because the session cookie name used by WebFOCUS defaulted to JSESSIONID. . The name of the session cookie is set by default to JSESSIONID. Beware if your page is including other .jsp or .jspf (fragment)! Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.