Spring adds a JSESSIONID despite stateless session management

Question

I am using a working JWT authentication of my web application with the following configuration:

@Override
protected void configure(HttpSecurity http) throws          


        

Answer 1

Your current configuration (sessionCreationPolicy(SessionCreationPolicy.STATELESS)) ensures that Spring-Security (and only Spring-Security)

• won't create the session
• won't rely on the session for providing authentication details (for example, providing the Principal).

Any other component of your application (for example, if you would use Spring-Session) is still free to create the session.

Answer 2

Try to set the session to none in the application.yml:

spring.session.store-type=none

as mentioned in the docs: https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-session.html