Understanding Nexus Repository 2 Session Cookies

Visit my.sonatype.com for documentation on Nexus Repository version 2.

How Does Nexus Repository 2 Use Session Cookies?

Nexus Repository 2.11.1 and earlier has a session cookie name of JSESSIONID that could not be changed. There are two endpoints that create session cookies: /service/local/authentication/login and /service/local/status . Server sessions are deleted upon expiry automatically by Nexus Repository 2 or on an explicit end user sign-out. A Nexus logout response does not ask the browser to delete the session cookie - instead the next authenticated request to the status or login resources without a valid session id will respond with a Set-Cookie header with a new session id.

Nexus Repository 2.11.2 and newer has a session cookie name of NXSESSIONID and support for customizing the name. There is only one endpoint that creates session cookies, /service/local/authentication/login. When a session Cookie header is found during a /service/local/authentication/logout GET request, Nexus Repository 2 will delete the session internally and include a Set-Cookie header in the response that asks the user agent to expire the session cookie.

Nexus relies on server side sessions identified with cookies in the web browser user interface only.

How to Configure the Nexus Repository 2 Session Cookie Name

The session cookie name can only be configured in Nexus Repository 2.11.2 or greater.

  1. Edit ${NEXUS_INSTALL_DIR}/conf/nexus.properties. Add a property on a new line that specifies the cookie name you would like Nexus to use.
    For example, to change the session cookie name to JSESSIONID :
  2. Start or restart Nexus Repository 2 for the changes to take effect. Any existing user interface sessions using the old cookie name will no longer be valid.
Have more questions? Submit a request


Article is closed for comments.