Background of the problem

When a user accesses a specific connection (e.g. http://localhost/index) without permissions, they are redirected to the login page http://localhost/login.

In order to redirect to the target access page http://localhost/index after a successful login, Spring Security stores a message in the cookie, marked as a jsessionid.

When redirected the Servlet container, i.e. tomcat or something like that will add the jsessionid to the back of the redirected url. Something like this: http://localhost/login;jsessionid=xxxxxxxxxx.

This request will be intercepted by Spring Security’s StrictHttpFirewall and throw an exception: The request was rejected because the URL contained a potentially malicious String ";".

Security Policy

OWASP states that exposing jsessionid in a URL is a very dangerous move that can lead to session fixation attacks, so the above behavior is not recommended.


There are currently two solutions.

Allow url to carry jsessionid

If browser cookies are disabled or your application can tolerate the above security vulnerability, then you can take this approach in Spring Security.


Modifying the session mechanism of the servlet container

Configure Tomcat’s trace mode in Spring Boot.