coderodde
Reputation: 977
A JSP page creates a JSESSIONID cookie where not appropriate
When I visit my page .../index.jsp while having no HttpSessions, index.jsp still creates the JSESSIONID-cookie. Even worse, in the servlet responsible for logging people out, session.invalidate() does not seem to fix the issue.
index.jsp looks like this:
<%@page import="javax.servlet.http.Cookie"%>
<%@page contentType="text/html" pageEncoding="utf-8"%>
<%@page session="true"%>
<%!
void removeJSessionIdCookie(HttpServletResponse response) {
Cookie cookie = new Cookie("JESSIONID", "");
cookie.setValue(null);
cookie.setMaxAge(0);
cookie.setPath("/");
response.addCookie(cookie);
}
%>
<%
if (session != null) {
out.print("Session not null.");
if (session.getAttribute(Config.CURRENT_USER_ATTRIBUTE) != null) {
out.print("have user");
request.getRequestDispatcher("app.jsp").forward(request, response);
return;
} else {
out.println("no user here");
session.invalidate();
removeJSessionIdCookie(response);
}
}
%>
<html>...</html>
Upvotes: 0
Views: 676
Answers (1)
gsl
Reputation: 676
If you have session="true" in your <%@page%> directive, then the JSP framework code always creates a new session if the calling client does not bring a session cookie, i.e. has no session yet.
You need to put session="false" in to the page directive; this makes the Framework stop creating sessions for you.
Upvotes: 1
Related Questions
- Session Handling in servlet using JSESSIONID cookie not getting session
- How to remove JSESSIONID from cookies?
- jsessionid passed in url if cookie and jsessionid stored by browser
- JSP still creates jsessionID with session=false
- JSessionID changes on resource request after login which invalidates the session
- JSESSIONID is set for both HttpOnly and Secure
- right way to add session in java servlet
- Session from JSP to Servlet lost (Cookie changes)
- C:url not appending jsessionid when cookies are disabled
- JSP page and Servlet reporting different session IDs