Class NoSessionFilter

All Implemented Interfaces:

public class NoSessionFilter extends Object implements Filter

Prevents sessions from being created. Without sessions, minimal information should be stored as cookies. In the event cookies are disabled, this filter also adds the cookie values during URL rewriting. Any cookies added to the URLs through rewriting will have a parameter name beginning with cookie: (by default).

Security implications! Since cookies may now come from the URL, they may be added on links from other sites. Thus, one cannot use cookies in any Cross-Site Request Forgery (CSRF) detection or for any other purpose that assumes the cookie may only be provided by the browser.

This should be used for both the DispatcherType.REQUEST and DispatcherType.ERROR dispatchers.

Only cookie names and values are encoded as URL parameters. Comments, paths, and other attributes are lost.

To ensure no namespace conflicts with cookies potentially rewritten as URL parameters, any parameter in the request beginning with cookie: (by default) is filtered, even if it doesn't currently match an allowed cookie name. The result of getQueryString, however, is unaltered any may possibly contain cookie parameters.

Any cookie name that is not in the configured list of cookies names is ignored and not presented to the application, whether it came from HTTP headers or URL parameters.

In the event a cookie value is available from both the headers and the URL parameters, the headers take precedence.

Note: If using JSP, add session="false", for example:

<%@ page language="java" session="false" %>

Consider using in conjunction with session-config to ensure that ;jsessionid is never added to the URLs.

TODO: Idea: When only one cookie name is allowed, convert it to be just the cookie symbol itself? This would means cookies would be lost when a second cookie added, but would be a cool short URL otherwise. Or a second init parameter that specifies which cookie name is the "shortCookie"? Or do we allow each cookie to mapped to a custom name instead of prefix + name?

TODO: Support empty cookieUrlParamPrefix? This would make it more difficult to separate cookies and parameters. It would make it where any cookie name allowed here would effectively never be able to be used as a parameter.