Grails without session

Question

I noticed that grails applications, as most other java based web applications, always creates a session, even when it is not used.

Is it possible to set the JSESSIONID cookie only when needed, eg. when someone tries to log in?

Answer 1

The generation of a session cookie can be disabled by adding the following page directive:

<%@ page session="false" %>

Answer 2

I'm not sure what version of grails was being used above, but I was running into a similar issue in a large application. My application was split between UI/gsp and other Controllers that served pure json/xml without a view. The UI portion was supposed to be the only part that used sessions, but the services were also returning JSessionId.

Because the application was large, in order to troubleshoot, I created new applications with grails 1.3.7 and 2.2.1, with a basic controller:

class FooController {
    static defaultAction = "lookatme"
    def lookatme = {render(view:'lookatme')}
    def hallo = {render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
    def somestate = {session.foo = "bar"; render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
}

When I run this on tomcat, neither lookatme or hallo returns a JSessionId. The action somestate does. After going back through our code, we found places (some filters, for example) that were attempting to access session when they shouldn't.

If your code is returning a session via JSessionId cookies, and you don't think it should, ensure there is no code used within that action (or filters) which access session (or flash?).