You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Daniel NAZARKIEWICZ <dn...@gmail.com> on 2013/07/17 22:31:10 UTC
Disable the session in tomcat
What is the procedure to disable entirely the session (JSESSIONID)
within tomcat 7 ?
Thank you
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Disable the session in tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Niki,
On 7/18/13 1:32 AM, Niki Dokovski wrote:
> On Thu, Jul 18, 2013 at 12:22 AM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Daniel,
>
> On 7/17/13 5:04 PM, Daniel NAZARKIEWICZ wrote:
>>>> Yes, i want to prevent session from being created because
>>>> the sessions are not needed in my specific case, so no
>>>> session at all in the cookie neither in the URL.
>>>>
>>>> Is this possible ?
>
> Yes. Write a HttpSessionListener and unconditionally throw an
> exception from the sessionCreated() method and kill the session.
> Like this:
>
> public class IronFistedHttpSessionListener implements
> HttpSessionListener { @Override public void
> sessionCreated(HttpSessionEvent se) {
> se.getSession().invalidate(); throw new
> IllegalStateException("Session use is not permitted."); }
>
> @Override public void sessionDestroyed(HttpSessionEvent se) { // Do
> nothing } }
>
>
>> If sessions are not needed most probably you dont have state as
>> well.IMHO is better to see what leads to session creation and
>> avoid it than having artificial session termination code.
What better way to find out where code is creating sessions than to
have a full stack trace to that location?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/QbAAoJEBzwKT+lPKRY3gkP/RxJ1WYKjxhiGpSvjznr4YK2
orCkGv2ewM2T71S+y7NzFnDyU70DJSbEy66ejuvYgVQnZnZ12nWRJoMs4bxUZjsq
grC43oKuHG5140sDWyem5A4udhjbaIRU8N0zeXdQVwBWrJnxY40IaotMiHcMWXLX
MctxfTMY122ABsxtWdbcL/jz08hPpSOek5XiZAj7FD8HcSzexWLibFWjk5SjFUt2
AnB3Ysv/pjHihoiWlYWJaBqK5+5j1f8xYK8hn8FNEXrCGLwbFT2MnIra1S8zuJtQ
LiEoq8y2UozOMkAxzHPtBMtUDpwgZ+9HSUBBhu0klmuJiYFTAqKZKtM/+EJ2nUzJ
lGg0lNtCOsnsi4Hp2esXssyLsU1BuyfCEHwh0nVRVuGY1MmDrpQKNiqHGHGxVSJM
YyhP7uuFEMIoEb5312qEg5bnpjGtdzM0RztC8V5GtKPEIb+JytkW+1/TZf4idUAV
cIl8GEQv+sImd0EM0U6TEEqp0xszlFypN2w9pFl/RwUh+Vc3+qWWYjqYLEMy9isi
k6WC+LPOZ/2tlYgtA3siPewLncwmvSCkJHcUIYgeUMMHLblygDxppB3Hrlz/eNTy
dIkRLa4p304IOzT38u0QIe9eFfY7H4FiwUQhPFhqGQrSG1DP6DmFtb0hRaf7jDZx
MkwOeANyUMnQ5ERUGBur
=o/AY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Disable the session in tomcat
Posted by Niki Dokovski <ni...@gmail.com>.
On Thu, Jul 18, 2013 at 12:22 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 7/17/13 5:04 PM, Daniel NAZARKIEWICZ wrote:
> > Yes, i want to prevent session from being created because the
> > sessions are not needed in my specific case, so no session at all
> > in the cookie neither in the URL.
> >
> > Is this possible ?
>
> Yes. Write a HttpSessionListener and unconditionally throw an
> exception from the sessionCreated() method and kill the session. Like
> this:
>
> public class IronFistedHttpSessionListener
> implements HttpSessionListener
> {
> @Override
> public void sessionCreated(HttpSessionEvent se)
> {
> se.getSession().invalidate();
> throw new IllegalStateException("Session use is not permitted.");
> }
>
> @Override
> public void sessionDestroyed(HttpSessionEvent se)
> {
> // Do nothing
> }
> }
>
>
If sessions are not needed most probably you dont have state as well.IMHO
is better to see what leads to session creation and avoid it than having
artificial session termination code.
> Note that this may cause parts of your code to start to fail. Now, it
> will be your job to fix the parts of your code that are triggering
> sessions to be created.
>
> For example, if you don't explicitly state session="false" in all of
> your JSPs, a session will be created by default. So, you'll need to
> edit all the JSPs you have that don't state session="false" so they
> won't create sessions.
>
> You may have other places in your code where sessions are created due
> to careless code. Fix those and your HttpSessionListener should never
> be invoked.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJR5wsoAAoJEBzwKT+lPKRYm7sP/3X9rSU0I1OuMXbvjw1GdYtw
> ls+EUthrCruC9g/woKiTdbL7Jsh9SFCXnTE5tldFjv/ttxgUZAMkAkz/0DKRmvGG
> jKi9pWQpXF/07UatBVf9Jvp2M3ozvG3F41+LFtSnUOkRi41FSNCk2BEOfdiQVuhQ
> gnJi+jPgaX9177xVcumL1hW58eT2X2NCYD7SWI6TeXHObqPA9JWyNBC6qNgaiwve
> YriJ1Q+0/1zzZv7sprK8+8uesf6xPTkf9MQRYb/+CLMl9ODzeU6kWCQpHzkAE0f+
> pa6fqtX0a7QImYv9sqOZGEhpw8tcZX/2jYXihMcv5gof6QHucD4z5+zyJgtW0MYZ
> /GjIaMDYDa0plIeaOVr7aFZhLslRF28gTk8B1xctn6N7OT+qC5Ivd6WgKdez++Xv
> f2Jh4efyjqIpSBvKyY0jLFjiy2WwwxVe2R/mF+O2HJHUtmKfViFzfmERUdVqnRa0
> OYRnJ3rAY2k5ZQObc+1jcCAICNlL67GAY3PLaVGNpxMS7UyTmAC7o/A/iG4FIeuy
> 05JwlUen5mMk/4YPogxd1NgHFzEw/FTXS4RVwOlc6XHuOQ49QWbkvtQv9X7q6LZp
> fYPUT9R0aUP/vZebCGiB7+8GAexW/UIsTPZ2EZ9z6O1/IHAR/ZLroc2c+OPowLy5
> oqlxOnT1IUVQLVTuh5xe
> =Mc3k
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Disable the session in tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 7/17/13 5:31 PM, Mark Thomas wrote:
> On 17/07/2013 22:22, Christopher Schultz wrote:
>
>> For example, if you don't explicitly state session="false" in all
>> of your JSPs, a session will be created by default. So, you'll
>> need to edit all the JSPs you have that don't state
>> session="false" so they won't create sessions.
>
> I think you should be able to use a JSPPropertyGroup that defines
> a prelude that does that for all JSPs.
Aah, good point. I never use JSP so I can't remember all the tricks
available to get around the foolish default configurations ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/Q9AAoJEBzwKT+lPKRYl6MQAKe1hkckFv4YuPaabXmT7WEI
rJt4yROXaYwDXSEMYU7oBJfirBrdr7nCWULgEIAHGMDfcmLJb520FlrVtxCJHwhb
ZhXDBVx9eypetrlMNBedXvB0a2OBCfCHgkwPvP5hi2c1KpngicgCJz5GQtPpHd1i
Nj6hx+nkLifp+Xcf18f8v01aWBjUS1kqOTcotNY/u9QG2q0T19m04f9W76GWPObW
v96YIVGEiTfkZiMr2p3AZ0he4eJPVkGfCQ84axK7/BElhasPdw1ESIZBwdZcO3wh
O0JFiMeDsklsrIfDiVTrpxOXnmrbii1iB0Zq/BbA6QGvXEsaCUV/BmSoq1kw3jjU
eEuzfK0YikxsFwk2F+rTgfQg7JfEBsHZfcxY0C/GsWks11/iZdhx9Jkjq6PDwReL
iRUQZl3a1O8H3CDcfEAB6rkqunO8ksu2zNxlnyRNX9DpNljHZhVU365YShvpSvQ2
MGKYX1u/c/xnjhHkaGY7YicH1s2+B02DwbRPwf/W1fSOxdg7ew1J98FJzrkDjApQ
vLvm7it3MgiaotuYz8vEEhVRulSFZYbk5PZXw1YUsdG+389+2A5weujQ4KbMBtYY
4rVoj6LuPE/8JBM1xZGYnQxm13TvZjsrcNHMGBvbO1gYqWKjmpzTll6Z/iRoXNsq
fwWki0qjFKUngT83H3jP
=6dlp
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Disable the session in tomcat
Posted by Mark Thomas <ma...@apache.org>.
On 17/07/2013 22:22, Christopher Schultz wrote:
> For example, if you don't explicitly state session="false" in all of
> your JSPs, a session will be created by default. So, you'll need to
> edit all the JSPs you have that don't state session="false" so they
> won't create sessions.
I think you should be able to use a JSPPropertyGroup that defines a
prelude that does that for all JSPs.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Disable the session in tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel,
On 7/17/13 5:04 PM, Daniel NAZARKIEWICZ wrote:
> Yes, i want to prevent session from being created because the
> sessions are not needed in my specific case, so no session at all
> in the cookie neither in the URL.
>
> Is this possible ?
Yes. Write a HttpSessionListener and unconditionally throw an
exception from the sessionCreated() method and kill the session. Like
this:
public class IronFistedHttpSessionListener
implements HttpSessionListener
{
@Override
public void sessionCreated(HttpSessionEvent se)
{
se.getSession().invalidate();
throw new IllegalStateException("Session use is not permitted.");
}
@Override
public void sessionDestroyed(HttpSessionEvent se)
{
// Do nothing
}
}
Note that this may cause parts of your code to start to fail. Now, it
will be your job to fix the parts of your code that are triggering
sessions to be created.
For example, if you don't explicitly state session="false" in all of
your JSPs, a session will be created by default. So, you'll need to
edit all the JSPs you have that don't state session="false" so they
won't create sessions.
You may have other places in your code where sessions are created due
to careless code. Fix those and your HttpSessionListener should never
be invoked.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5wsoAAoJEBzwKT+lPKRYm7sP/3X9rSU0I1OuMXbvjw1GdYtw
ls+EUthrCruC9g/woKiTdbL7Jsh9SFCXnTE5tldFjv/ttxgUZAMkAkz/0DKRmvGG
jKi9pWQpXF/07UatBVf9Jvp2M3ozvG3F41+LFtSnUOkRi41FSNCk2BEOfdiQVuhQ
gnJi+jPgaX9177xVcumL1hW58eT2X2NCYD7SWI6TeXHObqPA9JWyNBC6qNgaiwve
YriJ1Q+0/1zzZv7sprK8+8uesf6xPTkf9MQRYb/+CLMl9ODzeU6kWCQpHzkAE0f+
pa6fqtX0a7QImYv9sqOZGEhpw8tcZX/2jYXihMcv5gof6QHucD4z5+zyJgtW0MYZ
/GjIaMDYDa0plIeaOVr7aFZhLslRF28gTk8B1xctn6N7OT+qC5Ivd6WgKdez++Xv
f2Jh4efyjqIpSBvKyY0jLFjiy2WwwxVe2R/mF+O2HJHUtmKfViFzfmERUdVqnRa0
OYRnJ3rAY2k5ZQObc+1jcCAICNlL67GAY3PLaVGNpxMS7UyTmAC7o/A/iG4FIeuy
05JwlUen5mMk/4YPogxd1NgHFzEw/FTXS4RVwOlc6XHuOQ49QWbkvtQv9X7q6LZp
fYPUT9R0aUP/vZebCGiB7+8GAexW/UIsTPZ2EZ9z6O1/IHAR/ZLroc2c+OPowLy5
oqlxOnT1IUVQLVTuh5xe
=Mc3k
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Disable the session in tomcat
Posted by Daniel NAZARKIEWICZ <dn...@gmail.com>.
Yes, i want to prevent session from being created because the sessions
are not needed in my specific case, so no session at all in the cookie
neither in the URL.
Is this possible ?
Daniel
Le 17/07/2013 22:59, Christopher Schultz a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> (Thanks for starting a new thread: it really helps the archives and
> threaded mailing-list readers).
>
> On 7/17/13 4:31 PM, Daniel NAZARKIEWICZ wrote:
>> What is the procedure to disable entirely the session (JSESSIONID)
>> within tomcat 7 ?
> Do you want to prevent sessions from being created at all or do you
> want to simply suppress the creation of JSESSIONID cookies? Do you
> want to track sessions in another way?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJR5wXHAAoJEBzwKT+lPKRYapIP/3aQ3LLixHGPPs30S1clDe2s
> eh+RM7a/KUL85DIn9+WkGRjwLk+KNyuYvrv8naLnUZHIPuiPrlm+V2JIiwU5G2JB
> vh24sf8STdn766QABEo4ShJvn0zf+noccAaCsQHA6H7t2B23jl/bqBM8SG8KRVeh
> dpBAU/Brpcn+3AmzXqKExiEmuPlHpXNEDpxDI0WUiT8qMHDd1qbaE5zCDVrGJP/d
> 01aCiV+KhjntlujCQscAs333UXp+9Z+LkyG0l8nBfdI65RGKU2pw17XtN4/jg01Q
> pPU/PCq4kgS1bvK4n2Yf7ZgT4s8+NoehXgyD5LIgFrUtKUZnDH9ytB9rb7R8SJxZ
> 0EbXFVAHNHmIkSygPNrAoIBx4fhcPrwRPgLYQru2FsyCj7Ma1kT8CxpSRj0eSp+n
> 5847OhYNi6v/UdiMPYlYKUHk2tMthgXgoiny4zWuwnyjHgJQdo/dOT0pfoK2BNZT
> x701DCgyhNiYNbD6VVvfIHvsSDIm0YPgtDeGI7EdwGxrMuzxgSoI/Sc8kWsLvP2N
> EgCgP6iRAwF/RMkYL0PZ28etNE7awA8yGPAsixRHzNXZ4GYCTIp18p5LsI2ZRui1
> mt7qHGVqyqRUWWFcLdVswDrzkz6GB8T/JPNMN0LUtloQ24+Nsez3YCcJ7wh094+s
> unzMvZiBHgXxpjEMPiD6
> =1+E+
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Disable the session in tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel,
(Thanks for starting a new thread: it really helps the archives and
threaded mailing-list readers).
On 7/17/13 4:31 PM, Daniel NAZARKIEWICZ wrote:
> What is the procedure to disable entirely the session (JSESSIONID)
> within tomcat 7 ?
Do you want to prevent sessions from being created at all or do you
want to simply suppress the creation of JSESSIONID cookies? Do you
want to track sessions in another way?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5wXHAAoJEBzwKT+lPKRYapIP/3aQ3LLixHGPPs30S1clDe2s
eh+RM7a/KUL85DIn9+WkGRjwLk+KNyuYvrv8naLnUZHIPuiPrlm+V2JIiwU5G2JB
vh24sf8STdn766QABEo4ShJvn0zf+noccAaCsQHA6H7t2B23jl/bqBM8SG8KRVeh
dpBAU/Brpcn+3AmzXqKExiEmuPlHpXNEDpxDI0WUiT8qMHDd1qbaE5zCDVrGJP/d
01aCiV+KhjntlujCQscAs333UXp+9Z+LkyG0l8nBfdI65RGKU2pw17XtN4/jg01Q
pPU/PCq4kgS1bvK4n2Yf7ZgT4s8+NoehXgyD5LIgFrUtKUZnDH9ytB9rb7R8SJxZ
0EbXFVAHNHmIkSygPNrAoIBx4fhcPrwRPgLYQru2FsyCj7Ma1kT8CxpSRj0eSp+n
5847OhYNi6v/UdiMPYlYKUHk2tMthgXgoiny4zWuwnyjHgJQdo/dOT0pfoK2BNZT
x701DCgyhNiYNbD6VVvfIHvsSDIm0YPgtDeGI7EdwGxrMuzxgSoI/Sc8kWsLvP2N
EgCgP6iRAwF/RMkYL0PZ28etNE7awA8yGPAsixRHzNXZ4GYCTIp18p5LsI2ZRui1
mt7qHGVqyqRUWWFcLdVswDrzkz6GB8T/JPNMN0LUtloQ24+Nsez3YCcJ7wh094+s
unzMvZiBHgXxpjEMPiD6
=1+E+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org