Menu

β„Ή️ What is JBoss? What is JBoss Domain Management ? πŸ› ️ Install JBOSS-EAP 6.4 πŸ“œ Start & Stop JBOSS script. πŸš€ Application Deployment Methods - 1. πŸš€ Application Deployment Methods - 2. πŸš€ Application Deployment Methods - 3. ⚙️ Multiple Instance of JBoss EAP. πŸ” SSL on JBOSS EAP. 🧰 WINDOWS service for JBOSS EAP. πŸ› ️ JBoss EAP 7 - DOMAIN Installation. πŸš€ DOMAIN DEPLOYMENT - GUI MODE. πŸ” SSL on JBOSS 7.1 Admin console & Application. 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Issue SocketTimeoutException 🧰 JBoss-Remote JMX Connection (jvisualvm) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🧯 Out of space in CodeCache 🧯 java.sql.SQLRecoverableException: Closed Connection 🧯 sun.security.provider.certpath.SunCertPathBuilderException πŸ“ˆ JBOSS EAP 6 TO 7 Migration πŸ” Host Header injection on JBOSS EAP 7.2 πŸ” Encrypting Datasource Passwords using Vault in JBOSS
β„Ή️ Some useful links of IBM. πŸ› ️ WAS Installation using command line. πŸ› ️ Installing Suppliments (IHS/Plugins/WCT) command line. πŸ› ️ Uninstalling Suppliments (IHS/Plugins/WCT) command line. πŸ“ˆ Installing fix-pack using command line. β„Ή️ Profiles in WebSphere® Application Server ND. πŸ“œ WebSphere Profiles list & Basics Commands πŸ› ️ Commands for Custom / Application server / Dmgr Profiles πŸ› ️ Creating WAS-ND Cluster using GUI MODE. πŸš€ Application Deployment on WAS-ND - Cluster Env. πŸ“œ Analyze - JVM logs. 🧰 What is MustGather script ? 🧯 PsList to troubleshoot high CPU usage in Windows πŸ› ️ WebSphere App Server - Updating ports in existing profiles πŸ› ️ Installation Manager (IM) on non-default location πŸ› ️ Websphere Base or ND Installation using Command πŸ“ˆ Install or Update FIXPACK on WebSphere 8.5.+ πŸ› ️ Install SDK 8.0 on Websphere 8.5.5.9+ using Command method. πŸ› ️ How to Create a Clone of any profiles on WAS. πŸ› ️ Installation Manager (IM) on non-Administrator user. πŸ› ️ WebSphere Application Server 7.0.0.X & FIXPACK install / Update on the non-default location. πŸ“ˆ WebSphere ND Migration 7.0 to 8.0 / 9.0 πŸ› ️ IBM WebSphere 9.0.0.0 and IHS (IBM HTTP SERVR) Installation with Fixapck using Command Line (non-root) user
πŸ› ️ Configure IHS (IBM HTTP Server) with WAS 8.5.X.X. πŸ› ️ Multiple IHS in front of WAS (On Single Install). πŸ“Š Monitor IBM HTTP Server connections. πŸ” Self-signed Cert using ikeyman tool. πŸ” Self-Signed Cert using command line. πŸ” Decrypt Stash File.
🌐 Apache HTTP Server β„Ή️ HTTP STATUS CODES πŸ“œ Apache Rewrite Rules πŸ› ️ How to configure Apache MPM. πŸ› ️ Install Apache HTTP Server 2.4.27 ver. on LINUX πŸ› ️ Apache Tomcat - 9.0.0.M21 Installation on WIN 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Apache error : Server ran out of threads to serve requests (Windows) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🌐 Redirect traffic during maintenance 🧯 httpd (Apache) Error: systemd-tty-ask-password-agent tool! πŸ” SSL certificate supports Weak Ciphers πŸ” How to install opensource mod_security on Apache 2.4 πŸ“ˆ How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade). πŸ› ️ What is Nginx & How to install on RHEL πŸ› ️ Install Nginx plus on RHEL 7.4 / UNIX πŸ“Š Monitor Apache httpd process/thread status πŸ“Š Monitor Apache httpd ModJK status πŸ“Š Monitor Apache httpd Proxy balancer-manager status πŸ“Š Monitoring of JBoss servers through Nagios.
πŸ›‘️ Tomcat ghostcat vulnerability (JBoss /Tomcat) πŸ›‘️ SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4) πŸ›‘️ SSL Medium Strength Cipher Suites Supported (SWEET32) [Tomcat Server] πŸ›‘️ ETag vulnerability & X-Powered-By : jsp/2.2 πŸ›‘️ Missing Security Header(x-xss-protection) & Clickjacking πŸ›‘️ Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method. πŸ›‘️ Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss) πŸ›‘️ Local File Inclusion Vulnerabilities OR Directory traversal attack πŸ›‘️ HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Disable/Remove Server: Apache header info version (Apache2.4) πŸ” TLS1.2 Protocol enable for IBM WebSphere with SSL Handshake Debug
🌩️ How I Cleared My AZ-900 Microsoft Azure Fundamentals Exam 🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers 🌩️ AZ-104 Microsoft Azure Administrator 🌩️ Cloud Computing Basics
⚙️ DevOps vs DevSecOps Explained:Learning Path for Beginners πŸ’» Top 100+ Linux Commands for Middleware & DevOps Engineers 🐧 Linux Shell Scripting for Beginners – Complete Tutorial Series πŸ” Preparing WinRM on Windows Server over HTTPS for Automation (5986) πŸ” WAS Service Restart Using WinRM over HTTPS (5986) on Azure DevOps
☕ how-to-manually-install-new-java-path ☕ SunCertPathBuilderException ☕ out of space in CodeCache for adapters ☕ What is GC , Heap Memory & Metaspace ? ☕ Types of GC , analyze GC logging and REDHAT JVM Tool. πŸ§ͺ How to make datasource test-connection to Oracle / PostgreSql / MSSQL DB Instance.. πŸ§ͺ How to make datasource test-connection to MSSQL DB Instance πŸ§ͺ How to make datasource test-connection to Postgresql DB Instance πŸ§ͺ How to make datasource test-connection to Oracle DB Instance πŸ§ͺ How to Check DB latency using Datasource Test-Connection ☕ Install a new java path to the alternatives 🧰 Xmanager and Set Display. πŸ› ️ Install LAMP on SUSE Linux with example
πŸ” Openssl Commands for Wildcard & SAN certificates. πŸ” What is SSL, What is One-Way SSL & Two-Way SSL? πŸ” Openssl Self-Signed SAN's certificate πŸ” SSL certificate supports Weak Ciphers πŸ” Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions πŸ” TLS / SSL Certificate Lifetimes Reduced to 47 Days. πŸ” SSL Certificate Renewal on Akamai WAF and Its Impact on Applications. ✨ Worked on VMC SSL Today – A Simple Explanation for Everyone πŸ“ŒWebSphere Outbound SSL & SNI – Troubleshooting Guide
🏒 Enterprise Authentication & Identity Security Series πŸ” Part 1 - What is Authentication? πŸ†” Part 2 - Sessions, Cookies & JSESSIONID ⚖️ Part 3 - Stateful vs Stateless Applications 🎫 Part 4 - JWT (JSON Web Token) & Token-Based Authentication πŸ“Š Part 5 - JWT vs Session vs Cookies Explained πŸšͺ Part 6 - API Authentication & API Gateway Security πŸ”„ Part 7 - OAuth2, OIDC & SAML Explained ☁️ Part 8 - SSO (Single Sign-On), MFA & Microsoft Entra ID 🟦 Part 9 - WebSphere LTPA, Sticky Sessions & Session Replication πŸ›‘️ Part 10 - Zero Trust Security & Authentication Risks

15 Jun 2026

πŸͺ Sessions, Cookies & JSESSIONID Explained - Part 2

Sessions, Cookies & JSESSIONID Explained
  • Welcome to Part 2 of the Authentication & Identity Security series.
  • This article explains how applications remember users after successful login.
  • Designed for Middleware, DevOps, Cloud, and Application Support Engineers.
  • Includes enterprise examples using WebSphere, Tomcat, JBoss, IBM HTTP Server, NGINX, and Load Balancers.

Table of Contents

Introduction

In Part 1, we learned that authentication verifies a user's identity. After authentication is successful, the next important question is: how does the application remember the same user during future requests?

This is where Sessions, Cookies, and JSESSIONID come into the picture. These components help enterprise applications maintain user identity after login without asking the user to authenticate again on every page.

Key Concept:
Authentication verifies the user once, while session management maintains the user's identity throughout the application journey.

What is a Session?

A session is a server-side mechanism used to store user-specific information after successful authentication.

When a user logs in, the application server creates a unique session for that user. The session may store information such as:

  • User ID
  • User role
  • Login time
  • Application permissions
  • User preferences

The session remains active until one of the following events occurs:

  • User logs out
  • Session timeout occurs
  • Application server restarts
  • Session is invalidated by the application
Middleware View:
In WebSphere, JBoss, and Tomcat, sessions are usually stored in application server memory unless session persistence or replication is configured.

How Do WebSphere, JBoss, Tomcat & Docker Store Session Data?

By default, Java application servers store session data in JVM heap memory. The browser only stores the session identifier (JSESSIONID), while the actual user session data remains on the application server.

Platform Default Session Storage High Availability Options
IBM WebSphere JVM Heap Memory Memory-to-Memory Replication, Database Persistence
JBoss EAP / WildFly JVM Heap Memory Session Replication, Infinispan Cache
Apache Tomcat JVM Heap Memory Session Persistence, Redis, Session Replication
Docker Containers Inside Application JVM/Process Redis, Database, Sticky Sessions, External Session Store

Docker Session Storage

Browser
   │
JSESSIONID
   │
Docker Container
   │
Tomcat / JBoss / WebSphere Liberty
   │
JVM Heap Memory

Docker itself does not manage user sessions. Sessions are managed by the application running inside the container.

If a container is restarted, redeployed, or scaled down, in-memory sessions may be lost unless external session storage is configured.

Docker Best Practice:
Use Redis, database persistence, sticky sessions, or JWT-based authentication for better scalability and resilience.

A cookie is a small piece of data stored in the user's browser. Applications use cookies to identify users across multiple HTTP requests.

HTTP is stateless by default. This means every request is independent. Without cookies or tokens, the server cannot easily identify whether two requests are coming from the same user.

After successful login, the server sends a cookie to the browser. 

Set-Cookie: JSESSIONID=ABC123XYZ789

For every next request, the browser automatically sends this cookie back to the server. 

Cookie: JSESSIONID=ABC123XYZ789

What is JSESSIONID?

JSESSIONID is the default session identifier used by Java-based application servers.

It is commonly seen in applications running on:

  • IBM WebSphere Application Server
  • WebSphere Liberty
  • Apache Tomcat
  • JBoss EAP
  • WildFly

JSESSIONID does not usually store the full user data. It acts as a reference ID that helps the application server locate the correct server-side session. 

JSESSIONID=ABC123XYZ789
Important:
The actual session data is normally stored on the server side. The browser usually stores only the session identifier.

How Session Management Works

User
 │
 ▼
Login Page
 │
 ▼
Authentication Successful
 │
 ▼
Application Server Creates Session
 │
 ▼
JSESSIONID Generated
 │
 ▼
Cookie Sent To Browser
 │
 ▼
Browser Sends Cookie With Every Request
 │
 ▼
Application Server Retrieves Session
 │
 ▼
User Continues Application Access

This process allows the application to remember the authenticated user until logout or session timeout.

Enterprise Example: WebSphere Session Flow

Architecture

User Browser
      │
      ▼
IBM HTTP Server
      │
      ▼
WebSphere Application Server
      │
      ▼
Enterprise Application

Session Flow

  1. User accesses the application login page.
  2. User enters username and password.
  3. WebSphere authenticates the user using LDAP or Active Directory.
  4. WebSphere creates a session in application server memory.
  5. WebSphere generates a JSESSIONID.
  6. Browser receives the JSESSIONID as a cookie.
  7. Browser sends the same cookie in every future request.
  8. WebSphere uses JSESSIONID to locate the user's session.

Example HTTP Response

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=ABC123XYZ789; Path=/app; HttpOnly; Secure

Example HTTP Request

GET /app/dashboard HTTP/1.1
Host: www.company.com
Cookie: JSESSIONID=ABC123XYZ789

Sessions Through Load Balancers

In enterprise environments, applications often run on multiple servers behind a load balancer. 

User Browser
      │
      ▼
NGINX / IBM HTTP Server / F5 / Azure Load Balancer
      │
      ▼
 ┌───────────────┬───────────────┐
 │ WebSphere-01  │ WebSphere-02  │
 └───────────────┴───────────────┘

If a user logs in through WebSphere-01 but the next request goes to WebSphere-02, the session may not be available on WebSphere-02 unless session replication or sticky session is configured.

Common Solutions

  • Sticky Session: Route the same user to the same backend server.
  • Session Replication: Copy session data across cluster members.
  • External Session Store: Store sessions in Redis, database, or distributed cache.
Production Tip:
For stateful Java applications, session affinity is commonly configured at IBM HTTP Server, NGINX, F5, or application server plugin level.

Session vs Cookie vs JSESSIONID

Component Purpose Stored In Example
Session Stores user-specific data Application Server User ID, role, login time
Cookie Stores small client-side data Browser JSESSIONID cookie
JSESSIONID Identifies the server-side session Browser cookie or URL ABC123XYZ789

Session Security Best Practices

Session security is very important because attackers may try to steal or misuse session identifiers.

  • Use Secure flag so cookies are sent only over HTTPS.
  • Use HttpOnly flag to reduce JavaScript-based cookie theft.
  • Use SameSite attribute to reduce CSRF risk.
  • Regenerate session ID after successful login.
  • Configure proper session timeout.
  • Invalidate session during logout.
  • Avoid exposing JSESSIONID in URLs.

Recommended Cookie Example

Set-Cookie: JSESSIONID=ABC123XYZ789; Path=/; Secure; HttpOnly; SameSite=Lax

Common Session Issues

Middleware and DevOps teams commonly troubleshoot session-related issues in production environments.

Issue Possible Cause
User logged out unexpectedly Session timeout or server restart
Session lost after login Cookie not stored or wrong cookie path
Intermittent logout in cluster Sticky session or replication issue
JSESSIONID not visible Application not creating session
Cookie not sent over HTTPS Secure flag or domain/path mismatch
Login loop SSO, cookie, or reverse proxy issue

Key Takeaways

  • Authentication verifies identity.
  • Sessions maintain user identity after login.
  • Cookies store identifiers in the browser.
  • JSESSIONID is the default session identifier for Java applications.
  • Session affinity and replication are important in clustered environments.
  • Cookie security flags such as Secure, HttpOnly, and SameSite improve session security.
  • Session management is critical for WebSphere, JBoss, Tomcat, and enterprise applications.

What’s Next?

Next Article:
Part 3 – Stateful vs Stateless Applications

In the next article, we will understand the difference between stateful and stateless applications and why this concept is important for scaling enterprise applications, APIs, and cloud workloads.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by:
Tags: , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)