Reputation: 3975
Remove JSESSIONID cookie from Spring Application
I have a stateless Spring application, so I have no use for sessions. I would like to disable everything that has to do with sessions. I have a context.xml Tomcat config, where I have added this:
<Manager pathname="" />
Source^: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html
I have also added this to every http block in my spring security xml file:
create-session="stateless" disable-url-rewriting="true"
Even with these things done, if I manually delete my JSESSIONID cookie, any page I hit will add it again. How do I prevent this?
Upvotes: 3
Views: 10320
Answers (2)
Reputation: 22762
JSPs create a session by default, so that is the most likely cause.
Use
<%@ page session="false" %>
to prevent session creation.
If you also add
<debug />
to the top of your Spring Security configuration, it will log new session creations, along with a stack dump, so you can work out where they are taking place.
The debug filter this adds to the filter chain is a useful feature for tracking how requests are handled during development, not just for session creation issues.
Upvotes: 1
Reputation: 28746
In your tomcat configuration, you can try adding the following attributes to your Context element
<Context cookies=false disableURLRewriting=true ...
From tomcat 6 doc
Upvotes: 2
Related Questions
- Spring adds a JSESSIONID despite stateless session management
- Spring security: Delete cookie for logout
- Changing the JSESSIONID cookie name to something else with Spring Boot Security
- Stateless spring application - JSESSIONID still generated
- How to remove JSESSIONID from cookies?
- Modify JSESSIONID cookie in request headers
- How delete the JSESSIONID cookie from the browser with HttpOnly flag set
- how to set JSESSIONID cookie as secure using Spring security 2 and Apache Tomcat 7 setting
- spring security oauth2 disable jsessionid based session
- Can't remove JSESSIONID cookie