我可以关闭web.xml中的HttpSession吗？-CanIturnofftheHttpSessioninweb.xml?

68  

I would like to eliminate the HttpSession completely

我想完全消除HttpSession

You can't entirely disable it. All you need to do is to just not to get a handle of it by either request.getSession() or request.getSession(true) anywhere in your webapplication's code and making sure that your JSPs don't implicitly do that by setting <%@page session="false"%>.

你不能完全禁用它。您需要做的就是不要通过web应用程序代码中的任何位置的request.getSession（）或request.getSession（true）来处理它，并确保您的JSP不会通过设置<％隐式地执行此操作@page session =“false”％>。

If your main concern is actually disabling the COOKIE which is been used behind the scenes of HttpSession, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the COOKIEs attribute to false in element.

如果您的主要关注点实际上是禁用在HttpSession幕后使用的COOKIE，那么您可以在Java EE 5 / Servlet 2.5中仅在特定于服务器的webapp配置中执行此操作。例如，在Tomcat中，您可以在 元素中将COOKIEs属性设置为false。

Also see this Tomcat specific documentation. This way the session won't be retained in the subsequent requests which aren't URL-rewritten --only whenever you grab it from the request for some reason. After all, if you don't need it, just don't grab it, then it won't be created/retained at all.

另请参阅此Tomcat特定文档。这样，会话将不会保留在后续的URL重写请求中 - 只要您出于某种原因从请求中获取它时。毕竟，如果你不需要它，只是不要抓住它，那么根本不会创建/保留它。

Or, if you're already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml, then you can use the new element in web.xml as follows to zero-out the max age:

或者，如果您已经使用Java EE 6 / Servlet 3.0或更高版本，并且真的想通过web.xml执行此操作，那么您可以使用web.xml中的新 元素进行清零最大年龄：

    1
    
        0
    

If you want to hardcode in your webapplication so that getSession() never returns a HttpSession (or an "empty" HttpSession), then you'll need to create a filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation which returns on all getSession() methods null, or a dummy custom HttpSession implementation which does nothing, or even throws UnsupportedOperationException.

如果你想在你的web应用程序中硬编码，以便getSession（）永远不会返回HttpSession（或“空”HttpSession），那么你需要创建一个监听/ *的url-pattern的过滤器，它用一个替换HttpServletRequest HttpServletRequestWrapper实现，它返回所有getSession（）方法null，或者一个虚拟的自定义HttpSession实现，它什么都不做，甚至抛出UnsupportedOperationException。

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
        @Override
        public HttpSession getSession() {
            return null;
        }
        @Override
        public HttpSession getSession(boolean create) {
            return null;
        }
    }, response);
}

P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.

附：这是一个坏主意吗？在我真正需要它之前，我更喜欢完全禁用它们。

If you don't need them, just don't use them. That's all. Really :)

如果您不需要它们，请不要使用它们。就这样。真的:)

6  

If you are building a stateless high load application you can disable using COOKIEs for session tracking like this (non-intrusive, probably container-agnostic):

如果您正在构建无状态高负载应用程序，则可以禁用使用COOKIE进行会话跟踪（非侵入式，可能与容器无关）：

    URL

To enforce this architectural decision write something like this:

要强制执行此体系结构决策，请执行以下操作：

public class PreventSessionListener implements HttpSessionListener {
@Override
public void sessionCreated(HttpSessionEvent se) {
    throw new IllegalStateException("Session use is forbidden");
}

@Override
public void sessionDestroyed(HttpSessionEvent se) {
    throw new IllegalStateException("Session use is forbidden");
}
}

And add it to web.xml and fix places where it fails with that exception:

并将其添加到web.xml并使用该异常修复失败的位置：

    com.ideas.bucketlist.web.PreventSessionListener

4  

I use the following method for my RESTful app to remove any inadvertent session COOKIEs from being created and used.

我使用以下方法为我的RESTful应用程序删除任何无意的会话COOKIE被创建和使用。

    1
    
        0
    

However, this does not turn off HttpSessions altogether. A session may still be created by the application inadvertently, even if it disappears in a minute and a rogue client may ignore the max-age request for the COOKIE as well.

但是，这并没有完全关闭HttpSessions。应用程序仍可能无意中创建会话，即使它在一分钟内消失，并且流氓客户端也可能忽略COOKIE的max-age请求。

The advantage of this approach is you don't need to change your application, just web.xml. I would recommend you create an HttpSessionListener that will log when a session is created or destroyed so you can track when it occurs.

这种方法的优点是您不需要更改您的应用程序，只需更改web.xml。我建议您创建一个HttpSessionListener，它将在创建或销毁会话时记录，以便您可以跟踪它何时发生。

2  

Rather than disabling you can rewrite the URL using a URL rewrite filter eg tuckey rewrite filter. This will give Google friendly results but still allow COOKIE based session handling.

您可以使用URL重写过滤器（例如tuckey重写过滤器）重写URL，而不是禁用。这将为Google提供友好的结果，但仍允许基于COOKIE的会话处理。

However, you should probably disable it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits.

但是，你可能应该为所有响应禁用它，因为它比不友好的搜索引擎更糟糕。它公开了可用于某些安全漏洞的会话ID。

Example config for Tuckey filter:

Tuckey过滤器的配置示例：

  Strip URL Session ID's
  ^(.*?)(?:\;jsessiOnid=[^\?#]*)?(\?[^#]*)?(#.*)?$
  $1$2$3

2  

I would like to eliminate the HttpSession completely - can I do this in web.xml? I'm sure there are container specific ways to do it

我想完全消除HttpSession - 我可以在web.xml中这样做吗？我确信有容器特定的方法来做到这一点

I don't think so. Disabling the HttpSession would be a violation of the Servlet spec which states that HttpServletRequest#getSession should return a session or create one. So I wouldn't expect a Java EE container to provide such a configuration option (that would make it non compliant).

我不这么认为。禁用HttpSession将违反Servlet规范，该规范声明HttpServletRequest＃getSession应返回会话或创建会话。所以我不希望Java EE容器提供这样的配置选项（这会使它不兼容）。

Is this a bad idea? I prefer to completely disable things until I actually need them.

这是一个坏主意吗？在我真正需要它之前，我更喜欢完全禁用它们。

Well, I don't really get the point, just don't put anything in the session if you don't want to use it. Now, if you really want to prevent the use of the session, you can use a Filter to replace the request with a implementation of HttpServletRequestWrapper overriding getSession(). But I wouldn't waste time implementing this :)

好吧，我真的不明白，如果你不想使用它，就不要在会话中放任何东西。现在，如果您确实想要阻止使用会话，可以使用Filter将请求替换为HttpServletRequestWrapper的实现，从而覆盖getSession（）。但我不会浪费时间实现这个:)

Update: My initial suggestion was not optimal, the "right" (cough) way would be to replace the request.

更新：我的初步建议不是最佳的，“正确”（咳嗽）方式将取代请求。

1  

For RESTful application, I simply invalidate it every time the request's lifecycle ends. There may be some web server that always creates new session when new client access whether you call request.getSession() or not.

对于RESTful应用程序，我每次请求的生命周期结束时都会使其无效。可能有一些Web服务器总是在新客户端访问时创建新会话，无论您是否调用request.getSession（）。

1  

In Spring Security 3 with Java Config, you can use HttpSecurity.sessionManagement():

在使用Java Config的Spring Security 3中，您可以使用HttpSecurity.sessionManagement（）：

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

Xml looks like this;

Xml看起来像这样;

By the way, the difference between NEVER and STATELESS

顺便说一下，NEVER和STATELESS之间的区别

NEVER:Spring Security will never create an HttpSession, but will use the HttpSession if it already exists

永远不会：Spring Security永远不会创建HttpSession，但如果它已经存在将使用HttpSession

STATELESS:Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext

STATELESS：Spring Security永远不会创建HttpSession，它永远不会使用它来获取SecurityContext

0  

One cannot avoid the session creation. But you can check if you violate your own requirement at the end of a request cycle. So, create a simple servlet filter, which you place as first and after chain.doFilter throw an exception if a session was created:

人们无法避免会话创建。但您可以在请求周期结束时检查是否违反了自己的要求。因此，创建一个简单的servlet过滤器，在第一个和第一个之后放置。如果创建了一个会话，则会抛出一个异常：

chain.doFilter(request, response);
if(request.getSession(false) != null)
    throw new RuntimeException("Somewhere request.getSession() was called");

0  

As of Servlet 3.0, you can make it so sessions are not tracked by the servlet container in any way, by adding code like this to the contextInitialized method of a ServletContextListener:

从Servlet 3.0开始，您可以通过向Servlet容器以任何方式跟踪会话，方法是将这样的代码添加到ServletContextListener的contextInitialized方法中：

servletContext.setSessionTrackingModes(Collections.emptySet());

Javadoc.

的Javadoc。