After years, I never posted the answer back here. At that time I was busy and forgot about this question. But, today I am looking for a solution in Stackoverflow as usual and saw this notification mentioning I am getting points from this Question. Seems like other developers are facing the same issue. So, I tried to recall how I solved the issue. And yes, I solved by manually put back the session id to track/maintain the session id.

多年后，我再也没有在这里发布答案。当时我很忙，忘记了这个问题。但是，今天我像往常一样在 Stackoverflow 中寻找解决方案，并看到此通知提到我从这个问题中获得积分。似乎其他开发人员也面临同样的问题。所以，我试着回忆我是如何解决这个问题的。是的，我通过手动放回会话 ID 来跟踪/维护会话 ID 来解决。

Please see the code that I manually put back jsessionid inside the servlet.

请参阅我手动将 jsessionid 放回 servlet 中的代码。

HttpSession session = request.getSession();
if (request.getParameter("JSESSIONID") != null) {
    Cookie userCookie = new Cookie("JSESSIONID", request.getParameter("JSESSIONID"));
    response.addCookie(userCookie);
} else {
    String sessionId = session.getId();
    Cookie userCookie = new Cookie("JSESSIONID", sessionId);
    response.addCookie(userCookie);
}

Try adding the Live Http Headers pluginto firefox, and make sure the session cookie is indeed being passed to the browser from the server, and make sure the browser is sending it back again on the next request.

尝试将Live Http Headers 插件添加到 firefox，并确保会话 cookie 确实从服务器传递到浏览器，并确保浏览器在下一个请求时再次将其发送回来。

Please verify if the session is not being invalidated in your code someplace. Look for code similar to request.getSession().invalidate();

请验证会话是否在您的代码中的某处无效。寻找类似的代码request.getSession().invalidate();

First check if the webapp's context.xmldoes nothave cookies="false"configured.

首先检查是否web应用程序的context.xml并没有都cookies="false"配置。

Further it's good to know that cookies are domain, port and contextpath dependent. If the links in the page points to a differentdomain, port and/or contextpath as opposed to the current request URL (the one you see in the browser's address bar), then the cookie won't be passed through which will cause that the session cannot be identified anymore and thus you will get a new one from the servletcontainer.

此外，很高兴知道 cookie 依赖于域、端口和上下文路径。如果页面中的链接指向不同的域、端口和/或上下文路径，而不是当前的请求 URL（您在浏览器的地址栏中看到的那个），那么 cookie 将不会被传递，这将导致会话无法再识别，因此您将从 servletcontainer 中获得一个新会话。

If that is not the cause, then check if you aren't doing a redirecton everyrequest using HttpServletResponse.sendRedirect()for some reason. If you do this already on the very first request, then the cookie will get lost. You'll need to replace

如果这不是原因，请检查您是否出于某种原因没有对使用的每个请求进行重定向。如果您在第一次请求时就已经这样做了，那么 cookie 将会丢失。你需要更换HttpServletResponse.sendRedirect()

response.sendRedirect(url);

by

经过

response.sendRedirect(response.encodeRedirectURL(url));

One possible cause for this is having a "naked" host name (i.e. one without a domain part). That's fairly common if you're working in an Intranet.

造成这种情况的一个可能原因是具有“裸”主机名（即没有域部分的主机名）。如果您在 Intranet 中工作，这很常见。

The problem is that almost all browsers cookies will not accept cookies for hostnames without a domain name. That's done in order to prevent evilsite.comfrom setting a Cookie for com(which would be bad, as it would be the ultimate tracking cookie).

问题是几乎所有浏览器 cookie 都不接受没有域名的主机名的 cookie。这样做是为了防止evilsite.com设置 Cookie com（这会很糟糕，因为它是最终的跟踪 Cookie）。

So if you access your applicaton via http://examplehost/it won't accept any cookie, while for http://examplehost.localdomain/it will accept (and return) the cookie just fine.

因此，如果您通过http://examplehost/它访问您的应用程序，它将不接受任何 cookie，而因为http://examplehost.localdomain/它会接受（并返回）cookie 就好了。

The nasty thing about that is that the server can't distinguish between "the browser got the cookie and ignored it" and "the browser never got the cookie". So each single access will look like a completely new sesson to the server.

令人讨厌的是，服务器无法区分“浏览器获得了 cookie 并忽略了它”和“浏览器从未获得过 cookie”。因此，每次访问对于服务器来说都像是一个全新的会话。

Edit your tomcat context.xmlfile and replace <Context>tag to <Context useHttpOnly="false">, this helped me.

编辑您的 tomcatcontext.xml文件并将<Context>标记替换为<Context useHttpOnly="false">，这对我有帮助。

I experienced a stale https session cookie(my ad-hoc term) problem, due to a secureflag.

由于安全标志，我遇到了陈旧的 https 会话 cookie（我的临时术语）问题。

I had this problem when switching between http and https. The cookie stored by https session was never overwritten by http session. It remained in FireFox memory for eternity. It was visible in FireFox Tools / Options / Privacy / Delete single cookieswhere in Send forfield it was Only for secure connections. Clearing this single cookie or all cookies is a workaround.

我在 http 和 https 之间切换时遇到了这个问题。https 会话存储的 cookie 永远不会被 http 会话覆盖。它永远留在 FireFox 的内存中。它在 FireFox工具/选项/隐私/删除单个 cookie中可见，其中在发送字段中它仅用于安全连接。清除此单个 cookie 或所有 cookie 是一种解决方法。

I was debugging the problem with wget, and I noticed such a header:

我正在用 wget 调试问题，我注意到这样一个标题：

Set-Cookie: JSESSIONID=547ddffae0e5c0e2d1d3ef21906f; Path=/myapp; Secure; HttpOnly

The word secure appears only in https connections and creates this stale cookie. It's a SecureFlag (see OWASP). There are ways to disable this flag on server side, which seems like a permanent solution, but maybe not safe.

安全一词仅出现在 https 连接中并创建此陈旧 cookie。这是一个 SecureFlag（参见OWASP）。有一些方法可以在服务器端禁用此标志，这似乎是一个永久的解决方案，但可能不安全。

Or is it a browser bug, that the cookie is not overwritten?

或者是浏览器错误，cookie 没有被覆盖？

If there is a load balance configuration, will must have to configurate a route in the network for preserve the requests in the same server. Otherwise, the each request will go to a different server, losing the session attribute.

如果有负载均衡配置，则必须在网络中配置一条路由，以便将请求保存在同一服务器中。否则，每个请求都将转到不同的服务器，从而丢失会话属性。

In Your properties

在您的物业

  server.session.cookie.http-only=true
  server.session.cookie.secure=true

Remove these settings, it will retain your session id cookie, which is being reset with every request.

删除这些设置，它将保留您的会话 ID cookie，每次请求都会重置它。

You can use @ResponseStatus(HttpStatus.NO_CONTENT) in your controller's methods for example:

您可以在控制器的方法中使用 @ResponseStatus(HttpStatus.NO_CONTENT) 例如：

 @RequestMapping(value = "/{productId}", method = RequestMethod.DELETE)
 @ResponseStatus(HttpStatus.NO_CONTENT)
 public void delete(@PathVariable String productId)  {
     productDao.deleteById(productId);
    }