I am using a working JWT authentication of my web application with the following configuration: <pre class="prettyprint"><code>@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .exceptionHandling() .authenticationEntryPoint( (req, rsp, e) -> p.sendError(HttpServletResponse.SC_UNAUTHORIZED)) .and() .addFilter(new UsernamePasswordAuthenticationFilter(authenticationManager(), jwtConfig)) .addFilterAfter(new JwtTokenAuthenticationFilter(jwtConfig), UsernamePasswordAuthenticationFilter.class) .authorizeRequests() .antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll() .anyRequest().authenticated(); } </code></pre> As of <code>SessionCreationPolicy.STATELESS</code> i am expecting that Spring will not create a session itself. However, if i access any other resource than <code>/login</code>, i still see the following entry in the response header: <pre class="prettyprint"><code>set-cookie: JSESSIONID=...; Path=/; HttpOnly </code></pre> Can someone explain where this is coming from (maybe not from Spring) and if it does still come from Spring what needs to be changed? Edit: Testing in my controller, the session is still injected as indicated by the above token being present. I still have no clue where this is coming from. <pre class="prettyprint"><code>@PostMapping @ResponseStatus(HttpStatus.CREATED) public void create(HttpSession session) { if (session != null) { System.out.println("Session is existing"); // executes } } </code></pre>

Even with SessionCreationPolicy.STATELESS, a session can still be created outside the scope of spring security. For example, when you call request.getSession() or request.getSession(true), or if you access a session scoped bean (internally spring will call request.getSession(true)). If you add the following to your application.properties, a stacktrace will be output every time a session is created, which may help you find out what is going on. <pre class="prettyprint"><code>logging.level.org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER=DEBUG </code></pre>

Spring adds a JSESSIONID despite stateless session management

I am using a working JWT authentication of my web application with the following configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .csrf().disable()
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
      .and()
      .exceptionHandling()
      .authenticationEntryPoint(
          (req, rsp, e) -> p.sendError(HttpServletResponse.SC_UNAUTHORIZED))
      .and()
      .addFilter(new UsernamePasswordAuthenticationFilter(authenticationManager(),
          jwtConfig))
      .addFilterAfter(new JwtTokenAuthenticationFilter(jwtConfig),
          UsernamePasswordAuthenticationFilter.class)
      .authorizeRequests()
      .antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
      .anyRequest().authenticated();
}

As of SessionCreationPolicy.STATELESS i am expecting that Spring will not create a session itself. However, if i access any other resource than /login, i still see the following entry in the response header:

set-cookie: JSESSIONID=...; Path=/; HttpOnly

Can someone explain where this is coming from (maybe not from Spring) and if it does still come from Spring what needs to be changed?

Edit:

Testing in my controller, the session is still injected as indicated by the above token being present. I still have no clue where this is coming from.

@PostMapping
@ResponseStatus(HttpStatus.CREATED)
public void create(HttpSession session) {
    if (session != null) {
        System.out.println("Session is existing"); // executes
    }
}

Does Spring Security use Jsessionid?

Spring Security is very mature and widely used security framework for Java based web applications. It works perfectly with minimal configuration and following successful login returns JSESSIONID cookie which allows to re-authenticate client's consecutive calls as long as session doesn't expire.

What is stateless session in spring?

Finally, the strictest session creation option, “stateless“, is a guarantee that the application won't create any session at all.

How Jsessionid is created?

JSESSIONID is a cookie generated by Servlet containers and used for session management in J2EE web applications for HTTP protocol. If a Web server is using a cookie for session management, it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.

How does Spring Security manage session?

In Spring Security 3, the user is first authenticated by the AuthenticationManager and once they are successfully authenticated, a session is created and the check is made whether they are allowed to have another session open.

Even with SessionCreationPolicy.STATELESS, a session can still be created outside the scope of spring security. For example, when you call request.getSession() or request.getSession(true), or if you access a session scoped bean (internally spring will call request.getSession(true)).

If you add the following to your application.properties, a stacktrace will be output every time a session is created, which may help you find out what is going on.

logging.level.org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER=DEBUG

Spring adds a JSESSIONID despite stateless session management

Tags:

java

spring

spring-security

Glains

People also ask

1 Answers

rougou

Recent Activity

Donate For Us

Spring adds a JSESSIONID despite stateless session management

Tags:

java

spring

spring-security

Glains

People also ask

1 Answers

rougou

Related questions

Recent Activity

Donate For Us