1

I am using Spring Boot,Spring MVC and Spring Security. I added JWT authorization so i need to make my application Session Stateless, so i added corresponding parameter to my Security Config:

 http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

But when I make any request to my app i get JSESSIONID as cookie. I tried to solve the problem by adding this code to my jwt filter:

    Cookie[] cookies = httpServletRequest.getCookies();
    if(cookies!=null)
        for (int i = 0; i < cookies.length; i++) {
            cookies[i].setMaxAge(0);
            httpServletResponse.addCookie(cookies[i]);
        }

But it did not help, so how to finally remove it ??

My full security code: 

@Override
public void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    http.authorizeRequests()
            .antMatchers("/user/login").permitAll().antMatchers("/user/get/**").hasRole(Role.BOT.toString()).antMatchers("/", "/login**","/callback/", "/webjars/**", "/error**")
            .permitAll().anyRequest().authenticated();


  http.apply(new JwtFilterConfiguer(provider));



}
gg ff
  • 489
  • 1
  • 10
  • 20
  • No. Im making REST – gg ff Mar 22 '19 at 10:35
  • Are you sure that your configuration is used? Do you use Spring Boot? – dur Mar 22 '19 at 11:55
  • Yes, I use Spring Boot, my security configuration is used for sure. – gg ff Mar 22 '19 at 11:57
  • I have asked a similar question already, have a look here: https://stackoverflow.com/questions/52573539/spring-adds-a-jsessionid-despite-stateless-session-management – Glains Mar 22 '19 at 15:26
  • Possible duplicate of [Spring adds a JSESSIONID despite stateless session management](https://stackoverflow.com/questions/52573539/spring-adds-a-jsessionid-despite-stateless-session-management) – dur Mar 22 '19 at 16:26
  • @ggff have you fix this issue? facing same issue and no clue till now. – NHS Jan 05 '21 at 11:28

1 Answers1

1

The MaxAge of -1 signals that you want the cookie to persist for the duration of the session. You want to set MaxAge to 0 instead.

From the [API documentation][1]:

A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits. A zero value causes the cookie to be deleted.

please you can follow this link also 'https://www.baeldung.com/java-servlet-cookies-session'

Bheem Singh
  • 607
  • 7
  • 13