Home / Java Patterns and Pitfalls     frequal.com

Preventing JSESSIONID Cookies in JSPs

Sometimes you want to use JSP to make dynamic pages, but without the session cookie that is normally automatically sent in responses. To disable the JSESSIONID cookie, simply add this directive at the top of your JSP file:
<%@page contentType="text/javascript" pageEncoding="UTF-8" session="false"%>
In this case the file was a javascript file. Adjust the content type as needed.

Details

JSP files are most often used for server-side web applications. It is very common in such applications to want to track a user's session via a cookie stored in the user's browser. This is so popular that the default behavior for JSPs is to create the cookie, which can be seen as JSESSIONID in the browser's cookie storage.

However, there are several reasons to use JSPs for other content. For a service worker file you may wish to inject the site URL. For a JNLP file, you may also wish to modify a URL. In these cases, sending back a JSESSIONID doesn't help, and just adds another cookie cluttering up your users' systems. Instead, use the code above at the top of your files to disable the cookie.

Kudos

Thanks to the Quescol article How to Enable and Disable Session using JSP? which showed me this technique.
Last modified on 4 Oct 2024 by AO

Copyright © 2024 Andrew Oliver