How to prevent a JSESSIONID from being created when accessing a JSP page?

2

I created a simple JSP page, which does nothing but call a servlet to validate a login. Here is the code for page index.jsp :

<%@page contentType="text/html" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Foo</title>
    </head>
    <body>
        <form action="validalogin" method="post">
            <input type="text" placeholder="login" name="user"/>
            <input type="password" placeholder="senha" name="pass"/>
            <input type="submit" value="Entrar"/>
        </form>
    </body>
</html>

When I run this code, a JSESSIONID is automatically generated, as in the following image. The problem is that this happens even before calling the servlet, that is, the JSP is creating a session:

Theformwillbesenttotheservlet(wherethesessionwillbecreated/validated),butasthepageiscreatingoneautomatically,whentherequestarrivesintheservletitgivesthesessionasvalidbecauseithasalreadybeencreatedpreviously.p>

Icleanedthecookiesofthebrowserandupdatedthepage(F5),theresultwasthesame:AnewJSESSIONIDwasgenerated.

Ididsomeresearchandfoundsomethingrelatedtothesubject in that answer in StackOverflow, where the author cites that:

  

Every call to JSP page implicitly creates new session if there is no   session yet. This can be turned off by session='false' page directive,   in which case session variable is not available on JSP page at all.

After that, I upgraded my page directive to the following:

<%@page contentType="text/html" pageEncoding="UTF-8" session="false" %>

And when I cleaned the cookies and refreshed the page, a JSESSIONID was again generated.

I do not know if it's server-related, but I'm using Apache Tomcat. I even looked in the configuration file server.xml for something related to automatic session creation and found nothing.

How do I change this behavior? I've put together all the details that I found relevant to the question, if any were missing they can charge in the comments.

    
asked by anonymous 10.03.2015 / 05:32

1 answer

1

After several attempts and a lot of trying to solve, I succeeded. And the solution was to use the session="false" that I quoted in the question and that I had previously tried unsuccessfully.

When I declared the policy as follows, the session was created (even defined as false ):

<%@page contentType="text/html" pageEncoding="UTF-8" session="false"%>

However, when I set this attribute to a separate policy, the session is no longer created exactly as I needed it to. I did not understand the reason because I did not read / found anything saying that the order of the statement could interfere with something, but the problem was solved with:

<%@page session="false"%>
<%@page contentType="text/html" pageEncoding="UTF-8"%>

Also worked with:

<%@page session="false" contentType="text/html" pageEncoding="UTF-8"%>
    
25.03.2015 / 15:43