3

I have a stateless Spring application, so I have no use for sessions. I would like to disable everything that has to do with sessions. I have a context.xml Tomcat config, where I have added this:

<Manager pathname="" />

Source^: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html

I have also added this to every http block in my spring security xml file:

create-session="stateless" disable-url-rewriting="true"

Even with these things done, if I manually delete my JSESSIONID cookie, any page I hit will add it again. How do I prevent this?

Cœur
  • 37,241
  • 25
  • 195
  • 267
user1007895
  • 3,925
  • 11
  • 41
  • 63

2 Answers2

2

In your tomcat configuration, you can try adding the following attributes to your Context element

<Context cookies=false disableURLRewriting=true ...

From tomcat 6 doc

ben75
  • 29,217
  • 10
  • 88
  • 134
1

JSPs create a session by default, so that is the most likely cause.

Use 

<%@ page session="false" %>

to prevent session creation.

If you also add

<debug />

to the top of your Spring Security configuration, it will log new session creations, along with a stack dump, so you can work out where they are taking place.

The debug filter this adds to the filter chain is a useful feature for tracking how requests are handled during development, not just for session creation issues.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100