1

I have concern regarding session creation in Spring 4.

When ever any jsp page is rendered from server, spring creates session. For example url is GET /login, then Login.jsp served and session is automatically created and sent with response.

It is affecting my session handling, because I have filter which executes before DispatcherServlet and checks for the session.

If session is not active it redirects to login, but after login.jsp page is rendered then it creates session.

So once page is passed to user his session gets activated and he can access the protected resource.

I can solve this problem by adding some tokens but is there any way by which we can prevent session creation?

I'm using spring 4. I've tried SessionCreationPolicy.STATELESS and others but didn't work.

How to prevent session creation?

Thanks,
Sandeep

Roman Cherepanov
  • 1,639
  • 2
  • 24
  • 44
sandeep pandey
  • 350
  • 1
  • 10
  • This isn't a Spring issue, it's a JSP issue. You may be able to find an answer by searching about JSPs. I just use Thymeleaf. You also seem to be reinventing the wheel; have you considered using Spring Security instead? – chrylis -cautiouslyoptimistic- Feb 19 '16 at 03:06
  • @chrylis it's specific to spring becasue if you don't use spring and render jsp page container never creates session unless instructed. I'v searched stackflow but didn't get this hence asked. Yes i''m using spring security. question is on automatic session creation done by spring while sending jsp page. Let me know if you need any input – sandeep pandey Feb 19 '16 at 05:32
  • 2
    A JSP actually does create a session by default, unless you add `<%@ page session="false" %>`. See http://stackoverflow.com/questions/5515729/why-set-a-jsp-page-session-false-directive. – M. Deinum Feb 19 '16 at 06:16
  • @M.Denium Thanks it worked. I thought this issue was with Spring. But It was JSP. Thanks Again You saved my few days. – sandeep pandey Feb 19 '16 at 10:38

1 Answers1

0

This problem is not specific to Spring. JSP creates session by default. So make sure that your JSPs don't implicitly do that by setting <%@page session="false"%>

Dharman
  • 30,962
  • 25
  • 85
  • 135
Swanand
  • 97
  • 1
  • 15