3

I am building a RESTful web API in Spring Boot with my own implementation of JWT Authentication and my own authorization as well (not Spring Security). I simply wish to turn off JSESSIONID and run completely stateless, but the only documentation I can find is about turning off session only after enabling Spring Security (see here: How to make spring boot never issue session cookie? for example). I don't want Spring Security and I don't want HttpSession or JSESSIONID either.

Does setting server.session.timeout=0 in application.properties work? The doc does not specify the behavior if the timeout is set to 0.

Geyser14
  • 1,385
  • 3
  • 14
  • 32

1 Answers1

0

I opened a Spring GitHub Issue about this a few months ago, and the response was that Spring MVC does not create sessions on its own. In my case, I saw that, indeed, the simplest form of a Controller did not create a session, it was something else in my application that was doing so.

dbreaux
  • 4,982
  • 1
  • 25
  • 64