How to disable JSESSIONID cookie-based (and any else) session-tracking features in jetty 9?

Question

i wish to disable all kinds of session tracking features in Jetty 9 for my stateless- or manually maintained state Spring MVC application, but i failed to find any working examples showing how to do so.

I have tried the following /WEB-INF/spring-config.xml tag:

...
<security:http use-expressions="true"
               disable-url-rewriting="true"
               create-session="stateless">
...

Alongside with the following /WEB-INF/jetty-web.xml descriptor in war:

<?xml version="1.0"  encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="usingCookies" type="boolean">false</Set>
        </Get>
    </Get>
</Configure>

But i am still getting JSESSIONID cookies whenever trying to open any page of my application. Any hints why and how to fix it?

Answer 1

Implementation of what Pavel Horal suggested in his answer, using Spring Boot, is simply this:

import org.springframework.boot.web.servlet.ServletContextInitializer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.Collections;

@Configuration
public class WebContainerConfiguration {
  @Bean
  public ServletContextInitializer servletContextInitializer() {
    return servletContext -> servletContext.setSessionTrackingModes(Collections.emptySet());
  }
}

working nicely for me. Thank you!

Answer 2

An alternative to invalidating created sessions as suggested by user100464, I used a HttpSessionListener that throws Exceptions whenever someone tries to open a session, e.g. by calling request.getSession(), and removed occurences.

public class PreventSessions implements HttpSessionListener {

    @Override
    public void sessionCreated(HttpSessionEvent se) {
        throw new UnsupportedOperationException("sessions are not allowed");
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent se) {
        throw new UnsupportedOperationException("sessions are not allowed");
    }
}

Answer 3

You can accomplish the same goal by invalidating the session as soon as the request is complete. You can do that with a ServletRequestListener like this:

public class SessionKiller implements ServletRequestListener {

    public void requestInitialized(ServletRequestEvent sre) {
        // no-op
    }

    public void requestDestroyed(ServletRequestEvent sre) {
        final HttpServletRequest servletRequest = (HttpServletRequest)sre.getServletRequest();
        final HttpSession session = servletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
    }
}

To use the ServletRequestListener, add the following to the web-app element in the webapp'sweb.xml:

<listener>
  <listener-class>YOUR-PACKAGE-NAME.SessionKiller</listener-class>
</listener>

Answer 4

With servlet 3 it is possible to set session tracking mode as a part of servlet registration - ServletContext#setSessionTrackingModes... you can try that.

However in your case I would investigate who is calling HttpServletRequest#getSession(...). Put breakpoint in this method to see who is calling it. Some piece of code in your application is initializing session.