Is there a technique to delay session creation until a user successfully logs in?

Question

We have a spring-boot application that uses WebSecurityConfigurerAdapter.configure() to handle form login via

http.formLogin().loginPage("/login")

When the browser hits any GET mappings (/ typically) it redirects to the login page and creates a session in the database - we are using spring session jdbc.

We want to try to prevent this until the user is successfully logs in.

We have tried disabling session for root via

http.antMatcher("/").sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // or NEVER

However a session is required once logged in so this produces other issues.

Is there any configuration that can delay session creation until the user successfully logs in?

Possible duplicate of https://stackoverflow.com/questions/41296253/how-to-stop-jsp-from-creating-sessions-on-page-load — dur, Apr 13 '19 at 10:15
Possible duplicate of https://stackoverflow.com/questions/11374178/jsp-session-is-not-null — dur, Apr 13 '19 at 10:17

score 0 · Answer 1 · answered Apr 18 '19 at 15:09

I found this answer when googling 'setCreateSessionAllowed' which is hit in HttpSessionRequestCache and found this github issue which is the same issue I'm seeing.

https://github.com/spring-projects/spring-security/issues/4242

The fix is to call setCreateSessionAllowed(false) as suggested in that github issue.

Is there a technique to delay session creation until a user successfully logs in?

1 Answers1