Chrome cookies not working after tomcat web server reboot

Question

I noticed recently, that when I reboot my Tomcat web server, that the Chrome browser can no longer store cookies. i.e. tomcat uses cookies for http sessions, and the browser can no longer get its http session, also the cookie we use to store the logged in user fails, and the user does not remain logged in.

This seems to be a new issue with Chrome, perhaps from a recent update, I do not remember seeing it before. If I close the Chrome browser, then reopen it, it is fine again (until the server is rebooted again).

The issue does not happen on Firefox, seems like a bug in Chrome.

Has anyone else noticed this issue, or know of a solution?

I found some posts about Chrome/tomcat cookie issues and the suggestion to set, sessionCookiePathUsesTrailingSlash=false in the context.xml but this does not fix the issue.

It seems it might be related to the website supporting both https and http, and switching between the two (although it did occur on a website that did not support https as well...)

Okay, I can now recreate the issue, steps are.

1. connect to website via https
2. logout / login
3. connect to website via http
4. Tomcat JSESSIONID cookie can no longer be stored (oddly user/password cookies are stored)

This only happens on Chrome, and only since the Chrome update that add the "insecure" flag on login pages that use http

Okay I added this to my web.xml

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

This did not fix the issue, but made the issue always occur through http, i.e. make http no longer able to store the JSESSIONID cookie. I tried <secure>false</secure> but still get the old issue. So, it is related to this setting at least. Anyone have any ideas?

Logged bug on Chrome, https://bugs.chromium.org/p/chromium/issues/detail?id=698741

Answer 1

I was able to reproduce your problem with Chrome: Just it is needed to create HttpSession from HTTPS zone. Any subsequent HTTP request will not send the session cookie and any attempt to Set-Cookie:JSESSIONID= through HTTP is ignored by chrome.

The problem is localized when the user switch from HTTPS to HTTP. The HTTPS session cookie is maintained even if server is restarted and is working properly. (I tested with Tomcat6, Tomcat 9, and using an apache proxy for SSL)

This is response header sent by Tomcat when session is created from HTTPS

 Set-Cookie: JSESSIONID=CD93A1038E89DFD39F420CE0DD460C72;path=/cookietest;Secure;HttpOnly

and this one for HTTP (note Secure is missing)

 Set-Cookie:SESSIONID=F909DBEEA37960ECDEA9829D336FD239;path=/cookietest;HttpOnly

Chrome ignores the second set-Cookie. On the other hand Firefox and Edge replace the Secure cookie with the not-secured. To determine what the correct behaviour should be I have reviewed RFC2109

4.3.3 Cookie Management

If a user agent receives a Set-Cookie response header whose NAME is the same as a pre-existing cookie, and whose Domain and Path attribute values exactly (string) match those of a pre-existing cookie, the new cookie supersedes the old.

So, It is clear is a chrome bug, as you supposed in the question: The HTTP cookie should replace the one setted by HTTPS

Removing cookie manually from Chrome or invalidating the session at server side makes it work again (if after these actions the session is created using HTTP)

By default the JSESSIONID cookie is created with Secure when is requested from HTTPS. I guess this is the reason that Chrome do not allow to overwrite the cookie. But if you try to set <secure>false</secure> in web.xml Tomcat ignores it and the Set-Cookie header is sent with Secure

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

Changing cookie name, setting sessionCookiePathUsesTrailingSlash or removing HttpOnly has had no effect

I could not find a workaround for this issue except invalidating server session when logged user switch from HTTPS to HTTP.

Finally I opened a bug in chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=698839

---

UPDATED The issue is finally marked as Won't Fix because it is an intentional change. See https://www.chromestatus.com/feature/4506322921848832

Strict Secure Cookies

This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies. This does leave a carve out for cookie eviction, which still may cause the deletion of Secure cookies, but only after all non-Secure cookies are evicted.

Answer 2

I remember seeing this a couple of times and as far as I can remember this was the only recommendation on the matter, as you mentioned:

A possible solution to this might be adding sessionCookiePathUsesTrailingSlash=false in the context.xml and see how that goes.

Some info on the matter from here

A discussion here (same solution)

Hope I didn't confuse the issues and this helps you, let me know with a comment if I need to edit/if worked/if I should delete, thanks!