Session cookies on /api
A normal HTTP GET request to /api should not generate new cookies:
A request to /api/v1/geo/iso3166/decode?locale=en is quite frequent from the UI and it includes JSESSIONID
and hz-session-id
in the request:
Cookie: GENESYS_sandbox.genesys-pgr.org=eyJhbGciOixxxx.eyJleHAixxx.e9piZqWpIxxxx; G_ENABLED_IDPS=google; G_AUTHUSER_H=1; JSESSIONID=node063vg9xhbqpul1z20x2tr6ov683.node0; hz-session-id=HZ72872DD6A59743BCBF6E66EAD733E702
Both relevant cookies JSESSIONID
and hz-session-id
are set to SameSite
(i.e. api.sandbox.genesys-pgr.org).
They should be completely ignored for requests to /api. It's even stranger that there are two hz-session-id
cookies in the response?