Avoid JSESSIONID cookie creation with spring security authentication in "stateless mode

Question

I need to build a rest service stateless. So, the session must not be created on app server neither JSESSIONID cookie in the header response.

In my spring XML file I added the following config:

  <http create-session="stateless"  disable-url-rewriting="true" use-expressions="true">
  <intercept-url pattern="/product/**" />
  <intercept-url pattern="/*"  />
  <http-basic />
 </http>

In this way the JSESSIONID cookie is not created. Everthing is ok.

However, as soon as I add an authentication configuration, like the following:

<context:component-scan base-package="training.rest" />
 <http create-session="stateless" use-expressions="true">
  <intercept-url pattern="/product/**" access="hasRole('ROLE_ADMIN')"/>
  <http-basic />
 </http>

 <authentication-manager alias="authenticationManager">
  <authentication-provider>
   <user-service>
    <user authorities="ROLE_ADMIN" name="user1" password="password1" />
   </user-service>
  </authentication-provider>
 </authentication-manager>

I see in the response header the JSESSIONID.

How can I solve this problem and make sure that the JSESSIONID cookie is not returned in the header response?

See https://stackoverflow.com/questions/8800855/create-session-stateless-usage User "never" instead of "stateless" — TomB, Aug 23 '19 at 09:23
https://stackoverflow.com/questions/52573539/spring-adds-a-jsessionid-despite-stateless-session-management — karun, Nov 13 '21 at 22:49

Avoid JSESSIONID cookie creation with spring security authentication in "stateless mode

0 Answers0