Grails without session

Question

I noticed that grails applications, as most other java based web applications, always creates a session, even when it is not used.

Is it possible to set the JSESSIONID cookie only when needed, eg. when someone tries to log in?

two reasons: 1) if you create a session, a cookie will be set. If I interpret the new "European Cookie Law" the right way, you have to ask you visitors for alloance before you set a cookie. 2) a session uses resources. If I don't need the session, why should I create one? And if I expose a REST interface and the client ignores the cookies, each request will create a new session :-( — rdmueller, Jan 19 '13 at 15:42
You should do some more research: Consent not necessary Any cookie that, were it not for its presence, the website would cease to be usable, for example a session cookie that maintains the contents of a customer’s basket through the checkout process. That said, if you were to use this same cookie to track customer behaviour without asking them first, then this would require consent. http://www.enchiladadigital.com/services/cookie-audits/eu-cookie-law-what-you-need-to-know/ — Gregg, Jan 19 '13 at 15:47
Regarding research - taken from your link: `Well that’s all a little ambiguous isn’t it? Quite frankly, yes.` And that's why it makes sense to avoid cookies at all if you don't need them... — rdmueller, Jan 19 '13 at 16:22
[this](http://stackoverflow.com/questions/595872/under-what-conditions-is-a-jsessionid-created) discussion might help and [this](http://jira.grails.org/browse/GRAILS-1977) JIRA too. ============================================================================ net net, this directive should work on your external facing pages where you want to avoid creating a session . Haven't tried it myself though — uchamp, Jan 23 '13 at 02:38
Great! please copy and paste this as answer so that I can award you the bounty if it works... I will test it in jsut a moment and ocmment on it... — rdmueller, Jan 23 '13 at 06:19
Yeah! It works - great! Just addidn the page directive does the trick :-) — rdmueller, Jan 23 '13 at 06:25
@uchamp What about a situation where you aren't rendering a GSP, but instead rendering XML/JSON output? — aasukisuki, Oct 18 '13 at 21:54
@aasukisuki I guess in this situation you should start about using a gsp to render you XML/JSON ;-) I just wonder if a `render view:'page_session_false.gsp'; render myModel as JSON` would work as workaround... — rdmueller, Oct 25 '13 at 08:00

score 4 · Accepted Answer · answered Jan 28 '13 at 10:52

4

The generation of a session cookie can be disabled by adding the following page directive:

<%@ page session="false" %>

answered Jan 28 '13 at 10:52

rdmueller

9,867
9
62
117

score 1 · Answer 2 · answered Mar 05 '14 at 22:03

I'm not sure what version of grails was being used above, but I was running into a similar issue in a large application. My application was split between UI/gsp and other Controllers that served pure json/xml without a view. The UI portion was supposed to be the only part that used sessions, but the services were also returning JSessionId.

Because the application was large, in order to troubleshoot, I created new applications with grails 1.3.7 and 2.2.1, with a basic controller:

class FooController {
    static defaultAction = "lookatme"
    def lookatme = {render(view:'lookatme')}
    def hallo = {render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
    def somestate = {session.foo = "bar"; render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
}

When I run this on tomcat, neither lookatme or hallo returns a JSessionId. The action somestate does. After going back through our code, we found places (some filters, for example) that were attempting to access session when they shouldn't.

If your code is returning a session via JSessionId cookies, and you don't think it should, ensure there is no code used within that action (or filters) which access session (or flash?).

Grails without session

2 Answers2