Use credentials: 'include' when calling your API:

fetch('http://localhost:8080/api/comment/edit', {

method: 'POST',

headers: {

'Content-Type': 'application/json'

},

credentials: 'include', // REQUIRED for HttpSession

body: JSON.stringify({

commentId: 1,

isPublished: true

Fix on Backend (Spring Boot)

Your current config uses setAllowCredentials(true), which is correct, but you cannot use "*" for origins when credentials are allowed. You must specify the exact origin of your frontend.

Here’s a working global CORS configuration:

@Configuration

public class CorsConfig {

@Bean

public CorsFilter corsFilter() {

    CorsConfiguration config = new CorsConfiguration();

    config.setAllowCredentials(true);

    config.addAllowedOrigin("http://localhost:5173"); // React dev server

    config.addAllowedHeader("\*");

    config.addAllowedMethod("\*"); // GET, POST, PUT, DELETE, OPTIONS

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

    source.registerCorsConfiguration("/\*\*", config);

    return new CorsFilter(so

urce);

}

}