Behaviour of Spring Security in Bakery App (Spring)

Hi,

while working on my own Spring / Vaadin 10 application I wanted to include Spring Security as the security framwork and as it is used in the full stack bakery app I did it the way it is implemented there.

Now that I’m finished with implementing Spring Security in my app I recognized a behaviour from which I thought it is “wrong”. But then I compared it with bakery and the behavior is the same:

After starting the app (spring-boot run) and calling localhost:8080 after logging in I open a new browser tab, enter localhost:8080, press enter and I am still logged in in that 2nd tab. This might be okay. But even if I open a anonymous tab in the browser and call localhost:8080 I am still logged in, even in the anonymous window/tab. I have to close all anonymous and non-anonymous tabs of my browser and then when opening the browser again and calling localhost:8080 I am landing on the login page again.

Is that a wanted/intended behaviour?

I thought when opening a new anonymous browser tab and calling localhost:8080 I would get a new session and so had to relogin.

I’m using Chrome.
Opening a new tab re-uses the same session. Opening a new incognio window and going to localhost:8080 opens a login page. Opening another tab in the same incognito window or another incognito mode reuses the session. Session is tracked by JSESSIONID Cookie so I think the behavior is as it has been designed.

Yes you are absolutely right. What was confusing me is the fact that multiple opened incognito tabs/windows share the same session. The JSESSONID is indeed the same. Thank you for the explanation.