1

I would like to set a Spring Boot 2 property to disable all tracking modes. Should it be server.servlet.session.tracking-modes= # Session tracking modes (one or more of the following: "cookie", "url", "ssl"). I.e. leave it without a value?

This is a Spring Boot application that was running on JBoss, but now it will be running standalone (with built-in Tomcat server).

The old code to disable all tracking was as follows:

@SpringBootApplication(exclude = {
        SecurityAutoConfiguration.class
})
@Import(WebAppConfiguration.class)
public class WebAppRunner extends SpringBootServletInitializer {

    public static void main(String[] args) {
        SpringApplication.run(WebAppRunner.class, args);
    }

    @Override
    public void onStartup(ServletContext servletContext) throws ServletException {
        servletContext.setSessionTrackingModes(emptySet());
        super.onStartup(servletContext);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(getClass());
    }

}

I expect there not to be any tracking, whether hidden or via jsessionid.

awgtek
  • 1,483
  • 16
  • 28
  • @Andreas how is the duplicate an answer? I specifically asked for the equivalent to the above code for Spring Boot 2 that is to remove all tracking including cookies using property files. I want to know if that's possible. – awgtek Jun 11 '19 at 17:35
  • There are 4 different answers. Are you saying that *none* of them work for Spring Boot 2? – Andreas Jun 11 '19 at 17:39
  • They all set tracking to cookie mode. I want to "unset" all tracking using properties if possible. If not I will have to revert to the code I provided in the question. – awgtek Jun 11 '19 at 17:42
  • My hope is to not have to use `extends SpringBootServletInitializer` – awgtek Jun 11 '19 at 17:44
  • They all show **how to set session tracking mode**. Which mode they are setting isn't important. *How* to set is the important part. If you can't *adjust* the code to set the actual modes you *want*, from those examples of *how* to set the modes, then you shouldn't be coding something this complex at all. --- And if you don't want to use `SpringBootServletInitializer`, then use one of the other answers found there. Oh right, **none** of them use `SpringBootServletInitializer`. Did you even read any of the answers? – Andreas Jun 11 '19 at 17:49
  • 1
    I know how to set session tracking mode to _something_. What I don't know is how to set the session tracking mode to _nothing_. I want someone to tell me if it's possible using property files. That answer doesn't address this. – awgtek Jun 11 '19 at 17:52
  • Your code does `setSessionTrackingModes()` and since you don't want any, you give `emptySet()`. Alternatively, you can set `server.servlet.session.tracking-modes` to a list of modes, and since you don't want any, you'd set it to empty value. You even suggested that yourself, so I don't see what your problem is. I mean, other than not *trying* it. – Andreas Jun 11 '19 at 18:01
  • I didn't know that was a valid way to set a property. And I don't know how to test it. It would be nice if there was some documentation to know what values (including no value) are valid. – awgtek Jun 11 '19 at 18:05
  • So you didn't **read the answers**. [Third answer](https://stackoverflow.com/a/50100715/5221149) has link [application property](https://docs.spring.io/spring-boot/docs/1.3.1.RELEASE/reference/htmlsingle/#common-application-properties), which says: *Session tracking modes (one or more of the following: "cookie", "url", "ssl")* – Andreas Jun 11 '19 at 18:11
  • I know that and even included that blurb in my question. Just want to know if it's possible to leave it blank. – awgtek Jun 11 '19 at 18:13
  • Refer this answer https://stackoverflow.com/questions/60289350/how-to-stop-spring-boot-from-adding-session-cookies – domino_katrino Jan 21 '21 at 07:00

0 Answers0