Understanding Java Session and Cookie: A Hands‑On Spring Boot Demo
This article explains the fundamentals of HTTP Session and Cookie mechanisms in Java web applications, provides a minimal Spring Boot controller example that stores and retrieves a browser identifier via session, demonstrates behavior across Chrome and 360 browsers, and highlights the security risk of tampering with the JSESSIONID cookie.
Session and Cookie Basics
HTTP is a stateless protocol, so web applications use Session (server‑side) and Cookie (client‑side) to remember request state. In a traditional monolithic setup Tomcat stores the session in memory; for distributed scenarios developers often back sessions with Redis, JDBC, or MongoDB, which Spring can configure automatically. The session identifier is communicated to the client via a cookie named JSESSIONID. While most cookies are rarely needed, the JSESSIONID cookie is essential because it links the client request to the server‑side session.
Code Example
A tiny Spring Boot controller demonstrates how a session attribute can be set and read. The endpoint http://localhost:8080/test/cookie?browser=xxx stores the browser parameter in the session if the session does not already contain it, otherwise it prints the stored value. All request cookies are also printed.
@Controller
@RequestMapping("/test/cookie")
public class CookieController {
public String cookie(@RequestParam("browser") String browser,
HttpServletRequest request,
HttpSession session) {
Object sessionBrowser = session.getAttribute("browser");
if (sessionBrowser == null) {
System.out.println("Session not found, setting browser=" + browser);
session.setAttribute("browser", browser);
} else {
System.out.println("Session exists, browser=" + sessionBrowser.toString());
}
Cookie[] cookies = request.getCookies();
if (cookies != null && cookies.length > 0) {
for (Cookie cookie : cookies) {
System.out.println(cookie.getName() + " : " + cookie.getValue());
}
}
return "index";
}
}Testing with Chrome
First request (e.g., browser=chrome) yields no existing session, so the controller stores browser=chrome and prints:
SessionInfo: session not found, setting browser=chromeSubsequent requests return the stored value and the automatically generated JSESSIONID cookie, e.g.:
SessionInfo: session exists, browser=chrome
CookieInfo: JSESSIONID: 4CD1D96E04FC390EA6C60E8C40A636AFTesting with 360 Browser
Repeating the same steps with the 360 browser (using browser=360) creates a separate session and a different JSESSIONID value, confirming that sessions are isolated per browser instance.
SessionInfo: session not found, setting browser=360
CookieInfo: JSESSIONID: 320C21A645A160C4843D076204DA2F40Security Issue
Because the server relies solely on the JSESSIONID cookie to locate the session, an attacker who copies a valid cookie from one browser to another can impersonate the original user. The article demonstrates this by editing Chrome’s JSESSIONID to the value obtained from the 360 browser, after which the server returns the session data associated with the 360 browser ( browser=360), proving the vulnerability.
These observations underline the importance of protecting session cookies (e.g., using HttpOnly, Secure flags, and short expiration) and avoiding reliance on client‑side storage for sensitive authentication data.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.