Allow independent configuration of Operaton session cookie to avoid JSESSIONID conflicts

[Isax03]

Describe the bug When using Operaton BPM with a Spring Boot backend that also uses Keycloak authentication, the JSESSIONID cookie is overwritten by frontend requests.
This happens because Operaton hardcodes the cookie name, and currently the only way to change it is via the Spring Boot property server.servlet.session.cookie.name.
This causes conflicts when both the backend and Operaton share the same Spring Boot application. The issue occurs in a localhost environment.

To Reproduce Steps to reproduce the behavior:

1. Run a Spring Boot backend application.
2. Include the module org.operaton.bpm.springboot:operaton-bpm-spring-boot-starter-webapp with Keycloak plugin enabled.
3. Access the Operaton cockpit with Keycloak users (works as expected).
4. Use a frontend that calls backend services with Keycloak authentication.
5. Notice that every frontend update overwrites the JSESSIONID cookie, causing session conflicts.

Expected behavior Operaton should allow configuring its session cookie name independently from the backend, so that both can coexist without conflicts.

Proposed solution Introduce a new property in application.properties/application.yaml under operaton.bpm.* to configure the session cookie name specifically for Operaton, e.g., operaton.bpm.session.cookie.name.

• Default behavior should still use JSESSIONID to avoid breaking changes.
• The old method via server.servlet.session.cookie.name should continue to work for backward compatibility.
• In a future major version, the old method can be deprecated in favor of the new property.

Additional context

• Operaton version: 1.0.0  

[kthoms]

Thank you for reporting this issue. Your request sounds like a valuable feature, and adding an additional property with fallback to the existing behavior sounds like a valid approach.
@javahippie WDYT?

[cachescrubber]

Do you use the operaton-keycloak plugin? Did it worked with Camunda?

[cachescrubber]

cc @jomu78 - didn't you noticed the issue while updating?

[Isax03]

It is an old issue. This happens also with camunda.
I didn't tried but I think the issue will persist even if I remove the keycloak plugin and if I use a "local auth" for operaton.
The problem is that spring replaces the JSESSIONID when I login from my frontend (obviously it happens only in localhost)

[javahippie]

Hi @Isax03, thanks for your report!

I browsed the old Camunda issues and found this one, where they described a similar constellation, cookie based consistent hashing, which also introduces new cookies and recommended to avoid collisions by renaming the externally provided cookie https://github.com/camunda/camunda-docs-manual/pull/1704/files

I agree that this is an issue which might hit people in unexpected ways. As a first minor step we should think about amending the official documentation, there is no info in there about this. Additionally we should check if we could make the operaton-keycloak-plugin use a different cookie name by default to avoid these conflicts, and discuss the proposed change here for a new configuration parameter (or similar measures)

[Isax03]

I haven’t looked deeply into this issue, but I don’t think the weak point is the Keycloak plugin. As I mentioned before, I believe the problem would occur even with the default login method.

[jomu78]

@cachescrubber : yes, this is the problem I also have, but I configured it via server.servlet.session.cookie.name

What I can see

• it works for me on Camunda 7.24.0
• camunda.bpm.webapp.session-cookie.cookie-name seems to have no effect - if I disable server.servlet.session.cookie.name the cookie is named JSESSIONID otherwise it is the value I configured - but it never takes the value from camunda.bpm.webapp.session-cookie.cookie-name

When I upgrade to operaton and rename the cookie via server.servlet.session.cookie.name it fails
It also fails, if I disable the keycloak plugin and run via local admin user

Once I comment out server.servlet.session.cookie.name it works for both - with or without the plugin.

[mateuszpuk]

Hi, I could take on this task

[github-actions]

Hey @mateuszpuk! 🎉

Thanks for joining the discussion and leaving your first comment here. 💬
We’re glad to have you on board!

👉 Just a quick reminder to check out our Contributing Guidelines and the Code of Conduct so we can keep the collaboration smooth and welcoming for everyone.

We appreciate your input and look forward to more of your contributions. 🚀

[kthoms]

Thank you @mateuszpuk ! Much appreciated.