I am a developer currently working on an open-source solution called GeoNetwork (https://github.com/geonetwork/core-geonetwork/). This application has a Java backend… (read more)
I am a developer currently working on an open-source solution called GeoNetwork (https://github.com/geonetwork/core-geonetwork/). This application has a Java backend that uses a JSESSIONID cookie to track user sessions. One instance of the application can be accessed anonymously here: https://sextant.ifremer.fr/Donnees/Catalogue
The session cookie is set on the first request to the backend with the following parameters:
This application theoretically allows login in from a different origin. For example from https://www.milieumarinfrance.fr/Acces-aux-donnees/Catalogue, which under the hood points to the same backend. We noticed recently that when accessing the application from a different origin in Firefox, the network requests aimed at the "sextant.ifremer.fr" host *do not carry any existing session cookie*, thus rendering authenticated access impossible.
The existing session cookie is correctly used when I add an "allow" exception for the sextant.ifremer.fr origin in the cookies settings of Firefox (see attached screenshot in French). So I figure that it's Firefox that decides not to use any existing cookie when on this origin.
Is there any way to indicate to Firefox that this cookie is legitimate and that it is needed for essential functionalities, without relying on the user allowing the cookie explicitly?
Thanks a lot in advance!