Understanding Nexus Session Cookies

How Does Nexus Use Session Cookies

Nexus 2.11.1 and earlier has a session cookie name of JSESSIONID that could not be changed. There are two endpoints that create session cookies: /service/local/authentication/login and /service/local/status . Server sessions are deleted upon expiry automatically by Nexus or on an explicit end user sign-out. A Nexus logout response does not ask the browser to delete the session cookie - instead the next authenticated request to the status or login resources without a valid session id will respond with a Set-Cookie header with a new session id.

Nexus 2.11.2 and newer has a session cookie name of NXSESSIONID and support for customizing the name. There is only one endpoint that creates session cookies, /service/local/authentication/login. When a session Cookie header is found during a /service/local/authentication/logout GET request, Nexus will delete the session internally and include a Set-Cookie header in the response that asks the user agent to expire the session cookie.

Nexus relies on server side sessions identified with cookies in the web browser user interface only.

How to Configure the Nexus Session Cookie Name

The session cookie name can only be configured in Nexus 2.11.2 or greater.

  1. Edit ${NEXUS_INSTALL_DIR}/conf/nexus.properties. Add a property on a new line that specifies the cookie name you would like Nexus to use.
    For example, to change the session cookie name to JSESSIONID :
  2. Start or restart Nexus for the changes to take effect. Any existing Nexus user interface sessions using the old cookie name will no longer be valid.
Have more questions? Submit a request


Article is closed for comments.