I created a simple JSP page, which does nothing but call a servlet to validate a login. Here is the code for page index.jsp :
<%@page contentType="text/html" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Foo</title>
</head>
<body>
<form action="validalogin" method="post">
<input type="text" placeholder="login" name="user"/>
<input type="password" placeholder="senha" name="pass"/>
<input type="submit" value="Entrar"/>
</form>
</body>
</html>
When I run this code, a JSESSIONID is automatically generated, as in the following image. The problem is that this happens even before calling the servlet, that is, the JSP is creating a session:
Theformwillbesenttotheservlet(wherethesessionwillbecreated/validated),butasthepageiscreatingoneautomatically,whentherequestarrivesintheservletitgivesthesessionasvalidbecauseithasalreadybeencreatedpreviously.p>
Icleanedthecookiesofthebrowserandupdatedthepage(F5),theresultwasthesame:AnewJSESSIONIDwasgenerated.
Ididsomeresearchandfoundsomethingrelatedtothesubject in that answer in StackOverflow, where the author cites that:
Every call to JSP page implicitly creates new session if there is no session yet. This can be turned off by
session='false'page directive, in which case session variable is not available on JSP page at all.
After that, I upgraded my page directive to the following:
<%@page contentType="text/html" pageEncoding="UTF-8" session="false" %>
And when I cleaned the cookies and refreshed the page, a JSESSIONID was again generated.
I do not know if it's server-related, but I'm using Apache Tomcat. I even looked in the configuration file server.xml for something related to automatic session creation and found nothing.
How do I change this behavior? I've put together all the details that I found relevant to the question, if any were missing they can charge in the comments.