How to prevent a JSESSIONID from being created when accessing a JSP page?

Asked

Viewed 652 times

2

I created a simple JSP page, which does nothing but call a Servlet to validate a login. Here is the code of the page index.jsp:

<%@page contentType="text/html" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Foo</title>
    </head>
    <body>
        <form action="validalogin" method="post">
            <input type="text" placeholder="login" name="user"/>
            <input type="password" placeholder="senha" name="pass"/>
            <input type="submit" value="Entrar"/>
        </form>
    </body>
</html>

When I run this code, a JSESSIONID is automatically generated, as in the following image. The problem is that this happens even before calling Servlet, i.e., JSP is creating a session: imagem

The form will be sent to Servlet (where the session will be created/validated), but as the page is creating one automatically, when the request arrives in Servlet it gives the session as valid because it has already been created previously.

I cleaned up the cookies browser and updated the page (F5), the result was the same: A new JSESSIONID was generated.

I did some research and found something related to the subject in that reply in Stackoverflow, where the author cites that:

Every call to JSP page implicitly creates new Session if there is no Session yet. This can be turned off by session='false' page Directive, in which case Session variable is not available on JSP page at all.

After that, I updated the directive from my page to the following:

<%@page contentType="text/html" pageEncoding="UTF-8" session="false" %>

And when I cleaned up cookies and updated the page, again a JSESSIONID was generated.

I don’t know if it’s something related to the server, but I’m using Apache Tomcat. I even looked in the configuration file server.xml for something related to automatic session creation and found nothing.

How do I modify this behavior? I gathered all the details I found relevant to the question, if any are missing can charge in the comments.

session jsp

  • Maybe this link can help you...&#xD; http://stackoverflow.com/questions/2255814/can-i-turn-off-the-httpsession-in-web-xml

  • @Guilhermeiazzetta This will "kill" any session. I just wouldn’t want you to be logged in when accessing a JSP page. This session will be created after the user has been validated, who will create Servlet (and not the page, as is being done). But thank you.

1 answer

1


After several attempts and catch a lot trying to solve, I succeeded. And the solution was to use the session="false" which I quoted in the question and which I had previously tried unsuccessfully.

When I declared the directive in the following form, the session was created (even defined as false):

<%@page contentType="text/html" pageEncoding="UTF-8" session="false"%>

However, when I defined this attribute in a separate directive the session was no longer created, exactly as I needed it to be. I didn’t understand the reason because I didn’t read/find anything saying that the order of the statement might interfere with something, but the problem was solved with:

<%@page session="false"%>
<%@page contentType="text/html" pageEncoding="UTF-8"%>

It also worked with:

<%@page session="false" contentType="text/html" pageEncoding="UTF-8"%>

Browser other questions tagged session jsp

You are not signed in. Login or sign up in order to post.