Tomcat/spring session management for anonymous user

Question

I have next use case:

We have webstore where user can select some goods and then buy them. He can add goods to his cart before login to application. All of this items must be stored in his session. When user click "pay" button we will ask his credentials/card/etc.

My problem: When I login before add items to cart all works correctly. But when I try to add items to cart as anonymous user, items are not storing. I always receive different JSESSIONID after refreshing each page as anonymous user.

I decide create simple application which illustrate my problem. I think it can't be fixed without my sources.

Here is my application:

https://github.com/AlexTestAccount/simple_test

It very simple. It contais only one controler and session bean where I try save something.

For run it you need gradle, tomcat and define enviropment variable CATALINA_HOME, than you can use:

gradle deploy

p.s. Sorry for my english

Answer 1

Enable Debug log level for org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

There must be a log statement when you login:

>Invalidating session with Id '<originalSessionId>' <and : without> migrating attributes

If it prints "without migrating attributes" then you need to configure spring securitys SessionFixationProtectionStrategy.migrateSessionAttributes to true (but this should be the default)

An other problem maybe is, that tomcat change the session when you switch from http to https. To verify that this is the problem: first switch to https (NOT loggedin) and item to your cart and then check if they disappear. But tomcat should normaly preserve the session content while switching from http to https (but not the other way around).