问题
I have a stateless Spring application, so I have no use for sessions. I would like to disable everything that has to do with sessions. I have a context.xml Tomcat config, where I have added this:
<Manager pathname="" />
Source^: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html
I have also added this to every http block in my spring security xml file:
create-session="stateless" disable-url-rewriting="true"
Even with these things done, if I manually delete my JSESSIONID cookie, any page I hit will add it again. How do I prevent this?
回答1:
In your tomcat configuration, you can try adding the following attributes to your Context element
<Context cookies=false disableURLRewriting=true ...
From tomcat 6 doc
回答2:
JSPs create a session by default, so that is the most likely cause.
Use
<%@ page session="false" %>
to prevent session creation.
If you also add
<debug />
to the top of your Spring Security configuration, it will log new session creations, along with a stack dump, so you can work out where they are taking place.
The debug filter this adds to the filter chain is a useful feature for tracking how requests are handled during development, not just for session creation issues.
来源:https://stackoverflow.com/questions/14510420/remove-jsessionid-cookie-from-spring-application