Set tracking mode to cookie to remove appended session id, without using web.xml

Question

I am setting up a completely java based spring app with no xml config :

public class WebApp extends AbstractAnnotationConfigDispatcherServletInitializer {
           


        

Answer 1

you can do it as in below

public class WebConfig implements WebApplicationInitializer {

    @Override
    public void onStartup(ServletContext servletContext)
            throws ServletException {
        HashSet<SessionTrackingMode> set = new HashSet<SessionTrackingMode>();
        set.add(SessionTrackingMode.COOKIE);
        servletContext.setSessionTrackingModes(set);

    }

}

Answer 2

Since 3.2.0.RC1 this is available in the AbstractSecurityWebApplicationInitializer like so:

public class WebSecutityInit extends AbstractSecurityWebApplicationInitializer {

    @Override
    protected Set<SessionTrackingMode> getSessionTrackingModes() {
        return EnumSet.of(SessionTrackingMode.SSL);
    }
}

Answer 3

In a Spring Boot app, you can configure the mode using the application property server.session.tracking-modes.

In your application.properties add:

server.session.tracking-modes=cookie

Or if you use application.yml:

server:
  session:
    tracking-modes: 'cookie'

The Spring Boot autoconfiguration internally uses the same call to servletContext.setSessionTrackingModes which Bassem recommended in his answer.

Answer 4

Another solution, that works for me, has been the code below inside the SecurityConfig class.

@Override
protected void configure(HttpSecurity http) throws Exception {    
 http.httpBasic()
  .and()
  .sessionManagement()
  .sessionCreationPolicy(SessionCreationPolicy.STATELESS) //No sessionId eppended  
  ...
}