Affects: \
See this request on StackOverflow, which I found when searching for how to do the same thing:
https://stackoverflow.com/q/53406486/796761
Comment From: bclozel
I don't understand. Spring MVC doesn't create HTTP sessions by default. Something in your stack must be doing it. Maybe your security library?
In any case, creating a sample application on start.spring.io with a test controller:
@RestController
public class HomeController {
@GetMapping("/test")
public ApiResponse demo(){
return new ApiResponse("test message");
}
}
public record ApiResponse(String message) {
}
Will send the following response:
$ http :8080/test
HTTP/1.1 200
Connection: keep-alive
Content-Type: application/json
Date: Thu, 06 Apr 2023 12:31:30 GMT
Keep-Alive: timeout=60
Transfer-Encoding: chunked
{
"message": "test message"
}
No session cookie is created as a result. I'm closing this issue now, please ask on StackOverflow if you cannot figure out what is creating the session cookie in your application.
Comment From: dougbreaux
No security stack, no JSPs. So I don't understand either. Neither did the OP on SO think they had anything else creating sessions. 🤷
But, I'll say, I'm just using @Controller, not @RestController. I didn't see anywhere that this would make that difference, but maybe it does?
Comment From: bclozel
Why not ask your own question on StackOverflow, sharing a code snippet of what you're trying to achieve? The question you're pointing at does use a security stack (apparently not Spring Security) so this does not relate to your case.
Comment From: dougbreaux
Ok, I didn't detect that the question above used a security stack. And, when I did a standalone test for one of my controllers in question, I see that it does not return a JSESSIONID, as you say. I must have been looking at a different application that did do additional things.
Thank you for the dialogue.