How to disable JSESSIONID cookie-based (and any else) session-tracking features in jetty 9?

Question

i wish to disable all kinds of session tracking features in Jetty 9 for my stateless- or manually maintained state Spring MVC application, but i failed to find any working examples showing how to do so.

I have tried the following /WEB-INF/spring-config.xml tag:

...
<security:http use-expressions="true"
               disable-url-rewriting="true"
               create-session="stateless">
...

Alongside with the following /WEB-INF/jetty-web.xml descriptor in war:

<?xml version="1.0"  encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="usingCookies" type="boolean">false</Set>
        </Get>
    </Get>
</Configure>

But i am still getting JSESSIONID cookies whenever trying to open any page of my application. Any hints why and how to fix it?

Answer 1

With servlet 3 it is possible to set session tracking mode as a part of servlet registration - ServletContext#setSessionTrackingModes... you can try that.

However in your case I would investigate who is calling HttpServletRequest#getSession(...). Put breakpoint in this method to see who is calling it. Some piece of code in your application is initializing session.