Can I turn off the HttpSession in web.xml?

java web-applications session web.xml

I would like to eliminate the HttpSession completely - can I do this in web.xml? I'm sure there are container specific ways to do it (which is what crowds the search results when I do a Google search).

P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.


I would like to eliminate the HttpSession completely

You can't entirely disable it. All you need to do is to just not to get a handle of it by either request.getSession() or request.getSession(true) anywhere in your webapplication's code and making sure that your JSPs don't implicitly do that by setting <%@page session="false"%>.

If your main concern is actually disabling the cookie which is been used behind the scenes of HttpSession, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the cookies attribute to false in <Context> element.

<Context cookies="false">

Also see this Tomcat specific documentation. This way the session won't be retained in the subsequent requests which aren't URL-rewritten --only whenever you grab it from the request for some reason. After all, if you don't need it, just don't grab it, then it won't be created/retained at all.

Or, if you're already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml, then you can use the new <cookie-config> element in web.xml as follows to zero-out the max age:

<session-config>
    <session-timeout>1</session-timeout>
    <cookie-config>
        <max-age>0</max-age>
    </cookie-config>
</session-config>

If you want to hardcode in your webapplication so that getSession() never returns a HttpSession (or an "empty" HttpSession), then you'll need to create a filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation which returns on all getSession() methods null, or a dummy custom HttpSession implementation which does nothing, or even throws UnsupportedOperationException.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
        @Override
        public HttpSession getSession() {
            return null;
        }
        @Override
        public HttpSession getSession(boolean create) {
            return null;
        }
    }, response);
}

P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.

If you don't need them, just don't use them. That's all. Really :)


If you are building a stateless high load application you can disable using cookies for session tracking like this (non-intrusive, probably container-agnostic):

<session-config>
    <tracking-mode>URL</tracking-mode>
</session-config>

To enforce this architectural decision write something like this:

public class PreventSessionListener implements HttpSessionListener {
@Override
public void sessionCreated(HttpSessionEvent se) {
    throw new IllegalStateException("Session use is forbidden");
}

@Override
public void sessionDestroyed(HttpSessionEvent se) {
    throw new IllegalStateException("Session use is forbidden");
}
}

And add it to web.xml and fix places where it fails with that exception:

<listener>
    <listener-class>com.ideas.bucketlist.web.PreventSessionListener</listener-class>
</listener>

In Spring Security 3 with Java Config, you can use HttpSecurity.sessionManagement():

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

Xml looks like this;

<http create-session="stateless">
  <!-- config -->
</http>

By the way, the difference between NEVER and STATELESS

NEVER:Spring Security will never create an HttpSession, but will use the HttpSession if it already exists

STATELESS:Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext


I use the following method for my RESTful app to remove any inadvertent session cookies from being created and used.

<session-config>
    <session-timeout>1</session-timeout>
    <cookie-config>
        <max-age>0</max-age>
    </cookie-config>
</session-config>

However, this does not turn off HttpSessions altogether. A session may still be created by the application inadvertently, even if it disappears in a minute and a rogue client may ignore the max-age request for the cookie as well.

The advantage of this approach is you don't need to change your application, just web.xml. I would recommend you create an HttpSessionListener that will log when a session is created or destroyed so you can track when it occurs.

Related

Angular 2 filter/search list
How to decode viewstate
Call and Callvirt
Is there a migration tool from CVS to Git?
How to check an IP address is within a range of two IPs in PHP?
Xcode 6.0.1 Command /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swiftc failed with exit code 1
How to determine file, function and line number?
Are static variables in a base class shared by all derived classes?
How do you initialise a dynamic array in C++?
Checking odd/even numbers and changing outputs on number size
How to get annotations of a member variable?
Change icons of checked and unchecked for Checkbox for Android