Spring Security Sessions without cookies
Have you looked at Spring Session: HttpSession & RestfulAPI which uses HTTP headers instead of cookies. See the REST sample projects in REST Sample.
jsessionid
JSESSIONID Cookie with Expiration Date in Tomcat
As of Servlet 3.0, this can simply be specified in the web.xml: <session-config> <session-timeout>720</session-timeout> <!– 720 minutes = 12 hours –> <cookie-config> <max-age>43200</max-age> <!– 43200 seconds = 12 hours –> </cookie-config> </session-config> Note that session-timeout is measured in minutes but max-age is measured in seconds.
how to refresh JSESSIONID cookie after login
You will not refresh after but just before. When executing the login action first do: HttpSession session = request.getSession(false); if (session!=null && !session.isNew()) { session.invalidate(); } Then do: HttpSession session = request.getSession(true); // create the session // do the login (store the user in the session, or whatever) FYI what you are solving with this … Read more
jsessionid is occurred in all urls which are generated by jstl tag
This isn’t a bug, it’s by design. When a new session is created, the server isn’t sure if the client supports cookies or not, and so it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid … Read more
What is a host only cookie?
First of all, it is not possible for foo.com to set a cookie that can be read by bar.com. Host-only only protects example.com cookies from being read by bar.example.com. From RFC 6265 regarding setting a cookie and its Domain attribute: If the domain-attribute is non-empty: If the canonicalized request-host does not domain-match the domain-attribute: Ignore … Read more
Changing cookie JSESSIONID name
Everything is much simpler with Servlet API 3.0. Now you can configure it in your web.xml: <session-config> <cookie-config> <name>MY_JSESSIONID_YAHOOOOOO</name> </cookie-config> </session-config> That’s it!
Is it possible to disable jsessionid in tomcat servlet?
You can disable for just search engines using this filter, but I’d advise using it for all responses as it’s worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info). Tomcat 6 (pre 6.0.30) You can use the tuckey rewrite filter. Example config for … Read more
Under what conditions is a JSESSIONID created?
JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want to get the session, but not create it if it doesn’t exist, use request.getSession(false) — this will return you a session or null. In this case, new session is … Read more