Describe the bug
After authenticating locally on a Spring boot app with an incognito browser. When I open a new Incognito browser, I should be challenged/forced to authenticate again.
To Reproduce
Spring Boot + Security: 5.5.2.
- Start Spring boot service locally (localhost)
- Start Firefox or Chrome private/incognito browser instance
- Login to Spring Boot App (Spring Boot Security + Oauth2)
- Login successful
- Open another private/incognito browser instance
- Navigate to secure webpage
- No prompt to login, automatically access the webpage
or
Rename or delete JSESSIONID cookie in Incognito browser, refresh page. A new one is generated.
Expected behavior
Every incognito/private browser session should be forced to authenticate.
Comment From: eleftherias
Hi @tomaytotomato, this is the intended behaviour in Chrome. You will notice that this is not specific to Spring Security applications. If you log into any website, for example, Gmail, Facebook etc you will notice the same behavior.