How is a session being created before my Spring interceptor is reached?

Question

Client device clears all cookies (so, no JSESSIONID cookie exists on the client).
Client makes a request to Spring controller.
Spring Interceptor intercepts the request.

In the very first line of the preHandle() method of the Spring interceptor, I log the value of request.getRequestedSessionId() and the logs show a value for this, which should mean that a JSESSIONID was, in fact, received from the client. However, my Fiddler logs show that no JSESSIONID was sent in the request.

In addition, request.getSession(false).getId() returns that same JSESSIONID.

So, how/when/why were the session and JSESSIONID created before the interceptor is even reached? I would expect request.getRequestedSessionId() to be null if no JSESSIONID cookie was sent by the client.

And how do I prevent sessions from being created "on the fly" like this?

If it matters, the resource being requested is implemented like this:

@Controller
public class LoginController {
   .
   .
   .
   @RequestMapping(value = { "/controller/index.do" })
   public final ModelAndView login(final HttpServletRequest request, final HttpServletResponse response) {
      .
      .
      .

EDIT - As mentioned in this answer, I unserstand that every call to JSP page implicitly creates new session if there is no session yet. But would this happen before the interceptor is reached?

EDIT2 - The interceptor is an instance of org.springframework.web.servlet.handler.HandlerInterceptorAdapter

Do you want to add details on what interceptors are being used ? — happybuddha, Jul 10 '13 at 14:56
Try a [servlet filter](http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html) instead of a Spring `interceptor`. The session is established prior to your interceptor by the Java EE container. — GriffeyDog, Jul 10 '13 at 14:57
@happybuddha The interceptor is an instance of `org.springframework.web.servlet.handler.HandlerInterceptorAdapter` — CFL_Jeff, Jul 10 '13 at 18:44
@GriffeyDog would the code in the servlet filter run BEFORE the Java EE container establishes the session? — CFL_Jeff, Jul 10 '13 at 18:48
@GriffeyDog if you can post an answer that explains how to use a servlet filter to prevent a session from being created on the fly BEFORE the request reaches the interceptor, I will graciously accept it! — CFL_Jeff, Jul 11 '13 at 13:10

score 0 · Accepted Answer · answered Jul 11 '13 at 14:29

You should be able to use a servlet filter. Something like this (untested):

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class MyFilter implements Filter {
  public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException,
      ServletException {
    HttpServletRequest request = (HttpServletRequest) req;         
    HttpSession session = request.getSession(false);
    HttpServletResponse response = (HttpServletResponse) resp;
    if (session == null) {
      // no session has been established yet      
    }
    chain.doFilter(req, resp); 
  }

  public void destroy() {
    // TODO Auto-generated method stub

  }

  public void init(FilterConfig filterConfig) throws ServletException {
    // TODO Auto-generated method stub

  }
}

Then, in your web.xml:

<filter>
  <filter-name>SessionFilter</filter-name>
  <filter-class>mypackage.MyFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionFilter</filter-name>
  <url-pattern>/*</url-pattern> <!-- or whatever specific URL mappings you need -->
</filter-mapping>

Thanks! I think I may be able to use a servlet filter to detect when sessions are getting created on the fly. — CFL_Jeff, Jul 11 '13 at 14:49

How is a session being created before my Spring interceptor is reached?

1 Answers1