Can I turn off the HttpSession in web.xml?

by

I would like to eliminate the HttpSession completely

You can’t entirely disable it. All you need to do is to just not to get a handle of it by either request.getSession() or request.getSession(true) anywhere in your webapplication’s code and making sure that your JSPs don’t implicitly do that by setting <%@page session="false"%>.

If your main concern is actually disabling the cookie which is been used behind the scenes of HttpSession, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the cookies attribute to false in <Context> element.

<Context cookies="false">

Also see this Tomcat specific documentation. This way the session won’t be retained in the subsequent requests which aren’t URL-rewritten –only whenever you grab it from the request for some reason. After all, if you don’t need it, just don’t grab it, then it won’t be created/retained at all.

Or, if you’re already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml, then you can use the new <cookie-config> element in web.xml as follows to zero-out the max age:

<session-config>
    <session-timeout>1</session-timeout>
    <cookie-config>
        <max-age>0</max-age>
    </cookie-config>
</session-config>

If you want to hardcode in your webapplication so that getSession() never returns a HttpSession (or an “empty” HttpSession), then you’ll need to create a filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation which returns on all getSession() methods null, or a dummy custom HttpSession implementation which does nothing, or even throws UnsupportedOperationException.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
        @Override
        public HttpSession getSession() {
            return null;
        }
        @Override
        public HttpSession getSession(boolean create) {
            return null;
        }
    }, response);
}

P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.

If you don’t need them, just don’t use them. That’s all. Really 🙂

More Related Contents:

  1. Maven: Customize web.xml of web-app project
  2. Socket using in a swing applet
  3. File path to resource in our war/WEB-INF folder?
  4. How to specify the default error page in web.xml?
  5. Hibernate: different object with the same identifier value was already associated with the session [duplicate]
  6. What is the proper way to re-attach detached objects in Hibernate?
  7. What is the significance of url-pattern in web.xml and how to configure servlet?
  8. Add Bean Programmatically to Spring Web App Context
  9. Loading context in Spring using web.xml
  10. Any way to share session state between different applications in tomcat?
  11. Exception starting filter struts2 – tried adding JAR’s, but same result
  12. Best Practices to Create and Download a huge ZIP (from several BLOBs) in a WebApp
  13. “The Struts dispatcher cannot be found” error while deploying application on WebLogic 12.1.3
  14. Initializing Log4J with Spring?
  15. shutdown hook for java web application
  16. sending variable from one jsp to another jsp
  17. How can I share a variable or object between two or more Servlets?
  18. Why after logout clicking back button on the page displays previous page content?
  19. Is there a way to run a method/class only on Tomcat/Wildfly/Glassfish startup?
  20. Referencing Environment Variables in web.xml
  21. Deploying Springboot to Azure App Service
  22. Role/Purpose of ContextLoaderListener in Spring?
  23. Can we use regular expressions in web.xml URL patterns?
  24. NoClassDefFoundError JsonAutoDetect while parsing JSON object
  25. Whitelist security constraint in web.xml
  26. How to set session timeout dynamically in Java web applications?
  27. ExceptionHandler doesn’t work with Throwable
  28. Is synchronization within an HttpSession feasible?
  29. Find number of active sessions created from a given client IP
  30. Could not initialize proxy – no Session

Leave a Comment