Module com.aoapps.servlet.filter

Package com.aoapps.servlet.filter

Class NoSessionFilter

java.lang.Object

com.aoapps.servlet.filter.NoSessionFilter

All Implemented Interfaces:

Filter

public class NoSessionFilter
extends Object
implements Filter

Prevents sessions from being created. Without sessions, minimal information should be stored as cookies. In the event cookies are disabled, this filter also adds the cookie values during URL rewriting. Any cookies added to the URLs through rewriting will have a parameter name beginning with cookie: (by default).

Security implications! Since cookies may now come from the URL, they may be added on links from other sites. Thus, one cannot use cookies in any Cross-Site Request Forgery (CSRF) detection or for any other purpose that assumes the cookie may only be provided by the browser.

This should be used for both the DispatcherType.REQUEST and DispatcherType.ERROR dispatchers.

Only cookie names and values are encoded as URL parameters. Comments, paths, and other attributes are lost.

To ensure no namespace conflicts with cookies potentially rewritten as URL parameters, any parameter in the request beginning with cookie: (by default) is filtered, even if it doesn't currently match an allowed cookie name. The result of getQueryString, however, is unaltered any may possibly contain cookie parameters.

Any cookie name that is not in the configured list of cookies names is ignored and not presented to the application, whether it came from HTTP headers or URL parameters.

In the event a cookie value is available from both the headers and the URL parameters, the headers take precedence.

Note: If using JSP, add session="false", for example:

<%@ page language="java" session="false" %>

Consider using in conjunction with session-config to ensure that ;jsessionid is never added to the URLs.

TODO: Idea: When only one cookie name is allowed, convert it to be just the cookie symbol itself? This would means cookies would be lost when a second cookie added, but would be a cool short URL otherwise. Or a second init parameter that specifies which cookie name is the "shortCookie"? Or do we allow each cookie to mapped to a custom name instead of prefix + name?

TODO: Support empty cookieUrlParamPrefix? This would make it more difficult to separate cookies and parameters. It would make it where any cookie name allowed here would effectively never be able to be used as a parameter.

Field Summary

Fields

Modifier and Type	Field	Description
static final int	MAXIMUM_COOKIES	The maximum number of cookie names allowed.

Constructor Summary

Constructors

Constructor	Description
NoSessionFilter()

Method Summary

Modifier and Type	Method	Description
void	destroy()
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
void	init(FilterConfig config)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

MAXIMUM_COOKIES

public static final int MAXIMUM_COOKIES

The maximum number of cookie names allowed.

See Also:

• Constant Field Values

Constructor Details

NoSessionFilter

public NoSessionFilter()

Method Details

init

public void init(FilterConfig config)

Specified by:

init in interface Filter

doFilter

public void doFilter(ServletRequest request,
 ServletResponse response,
 FilterChain chain)
              throws IOException,
ServletException

Specified by:

doFilter in interface Filter

Throws:

IOException

ServletException

destroy

public void destroy()

Specified by:

destroy in interface Filter