Home/ Questions/Q 617765
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T18:28:17+00:00

I would like to eliminate the HttpSession completely – can I do this in

  • 0

I would like to eliminate the HttpSession completely – can I do this in web.xml? I’m sure there are container specific ways to do it (which is what crowds the search results when I do a Google search).

P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would like to eliminate the HttpSession completely

    You can’t entirely disable it. All you need to do is to just not to get a handle of it by either request.getSession() or request.getSession(true) anywhere in your webapplication’s code and making sure that your JSPs don’t implicitly do that by setting <%@page session="false"%>.

    If your main concern is actually disabling the cookie which is been used behind the scenes of HttpSession, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the cookies attribute to false in <Context> element.

    <Context cookies="false">

    Also see this Tomcat specific documentation. This way the session won’t be retained in the subsequent requests which aren’t URL-rewritten –only whenever you grab it from the request for some reason. After all, if you don’t need it, just don’t grab it, then it won’t be created/retained at all.

    Or, if you’re already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml, then you can use the new <cookie-config> element in web.xml as follows to zero-out the max age:

    <session-config>
    <session-timeout>1</session-timeout>
    <cookie-config>
        <max-age>0</max-age>
    </cookie-config>
</session-config>

    If you want to hardcode in your webapplication so that getSession() never returns a HttpSession (or an “empty” HttpSession), then you’ll need to create a filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation which returns on all getSession() methods null, or a dummy custom HttpSession implementation which does nothing, or even throws UnsupportedOperationException.

    @Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
        @Override
        public HttpSession getSession() {
            return null;
        }
        @Override
        public HttpSession getSession(boolean create) {
            return null;
        }
    }, response);
}

    P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.

    If you don’t need them, just don’t use them. That’s all. Really 🙂

    • 0