I would like to eliminate the HttpSession completely

我想彻底消除 HttpSession

You can't entirely disable it. All you need to do is to just notto get a handle of it by either request.getSession()or request.getSession(true)anywhere in your webapplication's code and making sure that your JSPs don't implicitly do that by setting <%@page session="false"%>.

你不能完全禁用它。您需要做的就是不要在您的 web 应用程序代码中的任何一个request.getSession()或request.getSession(true)任何地方处理它，并确保您的 JSP 不会通过设置<%@page session="false"%>.

If your main concern is actually disabling the cookie which is been used behind the scenes of HttpSession, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the cookiesattribute to falsein <Context>element.

如果您主要关心的是禁用在幕后使用的 cookie HttpSession，那么您可以在 Java EE 5 / Servlet 2.5 中仅在特定于服务器的 webapp 配置中这样做。例如，在 Tomcat 中，您可以将cookies属性设置为falsein<Context>元素。

<Context cookies="false">

Also see this Tomcat specific documentation. This way the session won't be retained in the subsequent requests which aren't URL-rewritten --only whenever you grab it from the request for some reason. After all, if you don't need it, justdon't grab it, then it won't be created/retained at all.

另请参阅此Tomcat 特定文档。这样，会话将不会保留在未重写 URL 的后续请求中——仅当您出于某种原因从请求中获取它时。毕竟，如果你不需要它，就不要抢它，那么它根本不会被创建/保留。

Or, if you're already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml, then you can use the new <cookie-config>element in web.xmlas follows to zero-out the max age:

或者，如果您已经在使用 Java EE 6 / Servlet 3.0 或更新版本，并且真的想通过 来实现web.xml，那么您可以使用如下的新<cookie-config>元素web.xml来将最大年龄归零：

<session-config>
    <session-timeout>1</session-timeout>
    <cookie-config>
        <max-age>0</max-age>
    </cookie-config>
</session-config>

If you want to hardcode in your webapplication so that getSession()never returns a HttpSession(or an "empty" HttpSession), then you'll need to create a filter listening on an url-patternof /*which replaces the HttpServletRequestwith a HttpServletRequestWrapperimplementation which returns on all getSession()methods null, or a dummy custom HttpSessionimplementation which does nothing, or even throws UnsupportedOperationException.

如果您想在您的 web 应用程序中进行硬编码，以便getSession()永远不会返回 a HttpSession（或“空” HttpSession），那么您需要创建一个过滤器来监听其中一个url-pattern，用一个在所有方法上返回的实现或一个虚拟自定义/*来替换什么都不做，甚至抛出.HttpServletRequestHttpServletRequestWrappergetSession()nullHttpSessionUnsupportedOperationException

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
        @Override
        public HttpSession getSession() {
            return null;
        }
        @Override
        public HttpSession getSession(boolean create) {
            return null;
        }
    }, response);
}

P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.

PS这是一个坏主意吗？我更喜欢完全禁用某些东西，直到我真正需要它们为止。

If you don't need them, just don't use them. That's all. Really :)

如果你不需要它们，就不要使用它们。就这样。真的 ：）

I would like to eliminate the HttpSession completely - can I do this in web.xml? I'm sure there are container specific ways to do it

我想完全消除 HttpSession - 我可以在 web.xml 中做到这一点吗？我确定有容器特定的方法来做到这一点

I don't think so. Disabling the HttpSessionwould be a violation of the Servlet spec which states that HttpServletRequest#getSessionshould return a session or create one. So I wouldn't expect a Java EE container to provide such a configuration option (that would make it non compliant).

我不这么认为。禁用HttpSession将违反 Servlet 规范，该规范规定HttpServletRequest#getSession应该返回会话或创建会话。所以我不希望 Java EE 容器提供这样的配置选项（这会使其不合规）。

Is this a bad idea? I prefer to completely disable things until I actually need them.

这是一个坏主意吗？我更喜欢完全禁用某些东西，直到我真正需要它们为止。

Well, I don't really get the point, just don't put anything in the session if you don't want to use it. Now, if you really want to prevent the use of the session, you can use a Filterto replace the request with a implementation of HttpServletRequestWrapperoverriding getSession(). But I wouldn't waste time implementing this :)

好吧，我真的不明白这一点，如果您不想使用它，请不要在会话中放入任何内容。现在，如果您真的想阻止使用会话，您可以使用 aFilter将请求替换为HttpServletRequestWrapperoverriding的实现getSession()。但我不会浪费时间来实现这个:)

Update:My initial suggestion was not optimal, the "right" (cough) way would be to replace the request.

更新：我最初的建议不是最优的，“正确”（咳嗽）的方法是替换请求。

Rather than disabling you can rewrite the URL using a URL rewrite filter eg tuckey rewrite filter. This will give Google friendly results but still allow cookie based session handling.

您可以使用 URL 重写过滤器（例如tuckey 重写过滤器）来重写 URL，而不是禁用。这将提供 Google 友好的结果，但仍允许基于 cookie 的会话处理。

However, you should probably disable it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits.

但是，您可能应该为所有响应禁用它，因为它比搜索引擎不友好更糟糕。它公开可用于某些安全漏洞的会话 ID 。

Example configfor Tuckey filter:

Tuckey 过滤器的示例配置：

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
  <to></to>
</outbound-rule>

For RESTful application, I simply invalidate it every time the request's lifecycle ends. There may be some web server that always creates new session when new client access whether you call request.getSession()or not.

对于 RESTful 应用程序，我只是在每次请求的生命周期结束时使其无效。可能有一些 Web 服务器总是在新客户端访问时创建新会话，无论您是否调用request.getSession()。

I use the following method for my RESTful app to remove any inadvertent session cookies from being created andused.

我对我的 RESTful 应用程序使用以下方法来删除任何无意中创建和使用的会话 cookie 。

<session-config>
    <session-timeout>1</session-timeout>
    <cookie-config>
        <max-age>0</max-age>
    </cookie-config>
</session-config>

However, this does not turn off HttpSessions altogether. A session may still be created by the application inadvertently, even if it disappears in a minute and a rogue client may ignore the max-age request for the cookie as well.

但是，这并不会完全关闭 HttpSessions。应用程序仍可能会无意中创建会话，即使它在一分钟内消失并且流氓客户端也可能忽略对 cookie 的 max-age 请求。

The advantage of this approach is you don't need to change your application, just web.xml. I would recommend you create an HttpSessionListenerthat will log when a session is created or destroyed so you can track when it occurs.

这种方法的优点是您不需要更改您的应用程序，只需web.xml. 我建议您创建一个HttpSessionListener在会话创建或销毁时记录的日志，以便您可以跟踪它何时发生。

One cannot avoid the session creation. But you can check if you violate your own requirement at the end of a request cycle. So, create a simple servlet filter, which you place as first and after chain.doFilter throw an exception if a session was created:

人们无法避免会话创建。但是您可以在请求周期结束时检查您是否违反了自己的要求。因此，创建一个简单的 servlet 过滤器，将其放在第一个和之后 chain.doFilter 如果创建会话则抛出异常：

chain.doFilter(request, response);
if(request.getSession(false) != null)
    throw new RuntimeException("Somewhere request.getSession() was called");

If you are building a stateless high load application you can disable using cookies for session tracking like this (non-intrusive, probably container-agnostic):

如果您正在构建无状态高负载应用程序，您可以禁用使用 cookie 进行会话跟踪，如下所示（非侵入性，可能与容器无关）：

<session-config>
    <tracking-mode>URL</tracking-mode>
</session-config>

To enforce this architectural decision write something like this:

要强制执行此架构决策，请编写如下内容：

public class PreventSessionListener implements HttpSessionListener {
@Override
public void sessionCreated(HttpSessionEvent se) {
    throw new IllegalStateException("Session use is forbidden");
}

@Override
public void sessionDestroyed(HttpSessionEvent se) {
    throw new IllegalStateException("Session use is forbidden");
}
}

And add it to web.xml and fix places where it fails with that exception:

并将其添加到 web.xml 并修复因该异常而失败的地方：

<listener>
    <listener-class>com.ideas.bucketlist.web.PreventSessionListener</listener-class>
</listener>

In Spring Security 3 with Java Config, you can use HttpSecurity.sessionManagement():

在带有 Java Config 的 Spring Security 3 中，您可以使用 HttpSecurity.sessionManagement()：

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

Xml looks like this;

xml看起来像这样；

<http create-session="stateless">
  <!-- config -->
</http>

By the way, the difference between NEVER and STATELESS

顺便说一下，NEVER 和 STATELESS 的区别

NEVER:Spring Security will never create an HttpSession, but will use the HttpSession if it already exists

STATELESS:Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext

NEVER:Spring Security 永远不会创建 HttpSession，但会使用 HttpSession 如果它已经存在

无状态：Spring Security 永远不会创建 HttpSession 并且永远不会使用它来获取 SecurityContext

As of Servlet 3.0, you can make it so sessions are not tracked by the servlet container in any way, by adding code like this to the contextInitializedmethod of a ServletContextListener:

从 Servlet 3.0 开始，您可以通过将这样的代码添加到 a 的contextInitialized方法中，从而使 servlet 容器不会以任何方式跟踪会话ServletContextListener：

servletContext.setSessionTrackingModes(Collections.emptySet());

Javadoc.

Java 文档。