Can I turn off the HttpSession in web.xml?
I would like to eliminate the HttpSession completely
You can't entirely disable it. All you need to do is to just not to get a handle of it by either request.getSession() or request.getSession(true) anywhere in your webapplication's code and making sure that your JSPs don't implicitly do that by setting <%@page session="false"%>.
If your main concern is actually disabling the cookie which is been used behind the scenes of HttpSession, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the cookies attribute to false in <Context> element.
<Context cookies="false">
Also see this Tomcat specific documentation. This way the session won't be retained in the subsequent requests which aren't URL-rewritten --only whenever you grab it from the request for some reason. After all, if you don't need it, just don't grab it, then it won't be created/retained at all.
Or, if you're already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml, then you can use the new <cookie-config> element in web.xml as follows to zero-out the max age:
<session-config>
<session-timeout>1</session-timeout>
<cookie-config>
<max-age>0</max-age>
</cookie-config>
</session-config>
If you want to hardcode in your webapplication so that getSession() never returns a HttpSession (or an "empty" HttpSession), then you'll need to create a filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation which returns on all getSession() methods null, or a dummy custom HttpSession implementation which does nothing, or even throws UnsupportedOperationException.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
@Override
public HttpSession getSession() {
return null;
}
@Override
public HttpSession getSession(boolean create) {
return null;
}
}, response);
}
P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.
If you don't need them, just don't use them. That's all. Really :)
Disable HTTPSession for stateless web services
You cannot disable HttpSession on a servlet container, like Tomcat.
Maybe Play framework would be a good approach for implementing your design.
Session-Timeout and Secure in web.xml
In a JEE Servlet app, the session is a value associated to a cookie. Behind the scenes, this value is used by the servlet container as a key to store a map with arguments in the server memory. The session-timeout value in the web.xml establishes how long can a user be inactive before the cookie value expires and the map is disposed for garbage collection.
SessionTimeout: web.xml vs session.maxInactiveInterval()
Now, i'm being told that this will terminate the session (or is it all sessions?) in the 15th minute of use, regardless their activity.
This is wrong. It will just kill the session when the associated client (webbrowser) has not accessed the website for more than 15 minutes. The activity certainly counts, exactly as you initially expected, seeing your attempt to solve this.
The HttpSession#setMaxInactiveInterval() doesn't change much here by the way. It does exactly the same as <session-timeout> in web.xml, with the only difference that you can change/set it programmatically during runtime. The change by the way only affects the current session instance, not globally (else it would have been a static method).
To play around and experience this yourself, try to set <session-timeout> to 1 minute and create a HttpSessionListener like follows:
@WebListener
public class HttpSessionChecker implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
System.out.printf("Session ID %s created at %s%n", event.getSession().getId(), new Date());
}
public void sessionDestroyed(HttpSessionEvent event) {
System.out.printf("Session ID %s destroyed at %s%n", event.getSession().getId(), new Date());
}
}
(if you're not on Servlet 3.0 yet and thus can't use @WebListener, then register in web.xml as follows):
<listener>
<listener-class>com.example.HttpSessionChecker</listener-class>
</listener>
Note that the servletcontainer won't immediately destroy sessions after exactly the timeout value. It's a background job which runs at certain intervals (e.g. 5~15 minutes depending on load and the servletcontainer make/type). So don't be surprised when you don't see destroyed line in the console immediately after exactly one minute of inactivity. However, when you fire a HTTP request on a timed-out-but-not-destroyed-yet session, it will be destroyed immediately.
See also:
- How do servlets work? Instantiation, sessions, shared variables and multithreading
How to turn off HTTP session timeout in Spring Security?
Yes.The snippet below will keep the HTTPSession alive unless the session is invalidated explicitly
<session-config>
<session-timeout>0</session-timeout>
</session-config>
Related Topics
How to Get *Everything* Back from a Stored Procedure Using Jdbc
Difference Between an Application Server and a Servlet Container
How to Decode a String Encoded with Openssl Aes-128-Cbc Using Java
What's the Purpose of Meta-Inf
Extract Source Code from .Jar File
Differencebetween Putting a Property on Application.Yml or Bootstrap.Yml in Spring Boot
How to Obtain the Start Time and End Time of a Day
Does Java Se 8 Have Pairs or Tuples
Convert Bufferedinputstream into Image
Java String.Replace/Replaceall Not Working
Spring - Injecting a Dependency into a Servletcontextlistener
Can a Class Have No Constructor
Java Naming Convention with Acronyms
Why Does Intellij Give Me "Package Doesn't Exist" Error