Jmix web application does not create new http session in Restful service for a new web session

olumideo · November 6, 2023, 9:23pm

Hi,
Please I need your support with this critical issue that needs to be resolved with my application.

I have a jmix web application that calls a restful service. The restful service keeps track of request calls coming from the jmix web application and logs the request sessionid.

 @GetMapping("/items")
public void all(HttpServletRequest request) {
   log.info("Session id: {}", request.getSession().getId());
}

What I realize is that Jmix web application does not create new sessionid when a new browser session is opened.

Let me explain.

Activity #1: I open a jmix web browser (google chrome), and log in. I click on item browser to display list of Items- the item data coming from the restful service. In the restful service, the request sessionId is logged.

Activity #2: Let’s say I close the google chrome browser completely and open another session, login again to display the list of items. The restful service again still logs the same sessionid of the previous transaction. I expect this second call to log a new sessionid because it is a new web session.

Activity #3: I also use a different browser Edge, open the same jmix application, login to display the items. The restful service again still logs the same sessionid of the previous actvities.

Compare the above scenario actvities to when I call the restful service GET endpoint from within postman, the sessionid works as expected . I close postman completely and open it again, call the GET resource, a new sessionid is logged every time I reopen the postman client.

So in conclusion, I find out that the jmix web application does not create a new sessionid in the restful service application every time there is a new web session but it works fine when I call the same endpoint in postman or other rest clients.

What do you think maybe wrong with Jmix web application that it does not create new sessionid when there is a new web session?

Hope to hear from you soon.

Thanks

pinyazhin · November 8, 2023, 8:16am

Hello!

Could you clarify Jmix version do you use? Is REST service based on Jmix? Do you use authorization in REST service?

olumideo · November 8, 2023, 8:43am

Hi Roman,
Thanks for your reply. Jmix. Jmix version is 1.5. No authorization in the REST service and it is not using Jmix. Only the web is Jmix. When I call this rest service from the Jmix web app from the browser, it always return the same sessionid even if I run the app from another browser or open a new browser session. It always returns the same sessionid. I don’t want this to happen because I need to know when the user is creating a new session especially when a new browser session is being used.

I am using RestTemplate to call the rest service from within Jmix app

Thanks

pinyazhin · November 9, 2023, 9:48am

I’ve tried to reproduce with RestTemplate and I have different session ID in each request.
Jmix application 1.5.4, service is Spring Boot 3.1.5 (without security). I guess, RestTemplate does not use Jmix’s user session ID.

Maybe there is a configuration for RestTemplate to set up cookie JSESSIONID (Postman has this cookie). Also you can try to configure session management in your service.

olumideo · November 10, 2023, 9:45am

Hi Roman,
Thanks for the reply.
You are right that that different request comes with each request when the RestTemplate bean is used without htttpclient. When httpclient is added to the resttemplate, it returns the same session for every request.

I have found that Jmix produces different JSESSIONID from what the resftful services produces. However, when you use Postman to execute the request, both postman seesionid and service sessionid are the same.

My conclusion is that Jmix handles jsessionid diferently from what resftful service produces.

Thanks