Spring Security Remember Me service without HttpSession

Question

My question is similar to this one, but I can simplify it some. Basically I want to authenticate users through the remember me cookie, but I want everything on the server side to be completely stateless, i.e. never create a HttpSession. I have the following setup:

<security:http use-expressions="true" create-session="stateless" >
    <security:intercept-url pattern="/index.jsp" access="hasRole('ROLE_ANONYMOUS')" />
    <security:intercept-url pattern="/**" access="hasRole('ROLE_TEST')" />
    <security:form-login login-page="/index.jsp" default-target-url="/home" always-use-default-target="true" authentication-failure-url="/index.jsp?login_error=1" />
    <security:logout logout-success-url="/index.jsp"/>
    <security:remember-me key="MY_KEY" />
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="testUser" password="testPassword" authorities="ROLE_TEST" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

I authenticate just fine with the username and password above and see the remember me cookie in my browser. That part of it is working great. However, I'm finding it is creating a session during this process. I thought the create-session="stateless" was supposed to prevent this. Am I missing something here?

Answer 1

After working with this more, I found out that it wasn't Spring Security that was creating the session. The index.jsp was creating a new session every time I hit it. I simply added <%@ page session="false"> to the top of index.jsp, and now there are no sessions being created.