All geek questions in one place

How to disable cookie-based JSESSIONID session tracking features (and any others) in berth 9?

I want to disable all kinds of session tracking features in Jetty 9 for my Spring MVC application that maintains stateless or manual state, but I could not find any working examples showing how to do this.

I tried the following tag /WEB-INF/spring-config.xml :

 ... <security:http use-expressions="true" disable-url-rewriting="true" create-session="stateless"> ...

Along with the following descriptor /WEB-INF/jetty-web.xml in war:

 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> <Configure class="org.eclipse.jetty.webapp.WebAppContext"> <Get name="sessionHandler"> <Get name="sessionManager"> <Set name="usingCookies" type="boolean">false</Set> </Get> </Get> </Configure>

But I still get JSESSIONID cookies when I try to open any page of my application. Any clues why and how to fix it?

+4
source share
3 answers

From servlet 3, you can set the session tracking mode as part of servlet registration - ServletContext#setSessionTrackingModes ... you can try this,

However, in your case, I would investigate who is calling HttpServletRequest#getSession(...) . Place a breakpoint on this method to find out who is calling it. Some of the code in your application initializes the session.

+5
source

You can achieve the same goal by canceling the session as soon as the request is completed. You can do this using ServletRequestListener as follows:

 public class SessionKiller implements ServletRequestListener { public void requestInitialized(ServletRequestEvent sre) { // no-op } public void requestDestroyed(ServletRequestEvent sre) { final HttpServletRequest servletRequest = (HttpServletRequest)sre.getServletRequest(); final HttpSession session = servletRequest.getSession(false); if (session != null) { session.invalidate(); } } }

To use the ServletRequestListener , add the following to the web-app element in web.xml webappapp:

 <listener> <listener-class>YOUR-PACKAGE-NAME.SessionKiller</listener-class> </listener>
+1
source

An alternative to canceling created sessions suggested by user100464, I used the HttpSessionListener , which throws an exception when someone tries to open a session, for example by calling request.getSession() and remote entries.

 public class PreventSessions implements HttpSessionListener { @Override public void sessionCreated(HttpSessionEvent se) { throw new UnsupportedOperationException("sessions are not allowed"); } @Override public void sessionDestroyed(HttpSessionEvent se) { throw new UnsupportedOperationException("sessions are not allowed"); } }
0
source

Source: https://habr.com/ru/post/1487727/

More articles:


All Articles