Best IT Recipes

Is it possible to disable jsessionid in tomcat servlet?

Is it possible to disable jsessionid in url in tomcat? jsessionid seems not too search engine friendly.

+59
java tomcat servlets jsessionid
Jun. 07 '09 at 20:17
source share
8 answers

You can only disable search engines using this filter, but I would recommend using it for all answers , as this is worse than just an unfriendly search engine. It provides a session identifier that can be used for specific security exploits ( more ).

Tomcat 6 (until 6.0.30)

You can use tuckey rewrite filter .

Example configuration for a Tuckey filter:

<outbound-rule encodefirst="true"> <name>Strip URL Session ID's</name> <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from> <to>$1$2$3</to> </outbound-rule>

Tomcat 6 (6.0.30 onwards)

You can use disableURLRewriting in the context configuration to disable this behavior.

Tomcat 7 and Tomcat 8

From Tomcat 7 onwards, you can add the following to your session configuration.

 <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
+60
Jun. 07 '09 at 20:33
source share
  <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config>

Tomcat 7 and Tomcat 8 support the above configuration in the web.xml web application, which disconnects URL-based sessions.

+51
May 19 '11 at 21:22
source share

This can be done in Tomcat 6.0 with: disableURLRewriting

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

eg.

 <?xml version='1.0' encoding='utf-8'?> <Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true"> </Context>

In Tomcat 7.0, this is controlled by the application in the application: ServletContext.setSessionTrackingModes ()

Tomcat 7.0 follows Servlet 3.0 specifications.

+20
Apr 11 2018-11-11T00:
source share

Use Filter for all URLs that wrap response in an HttpServletResponseWrapper , which simply returns the URL unchanged from encodeRedirectUrl , encodeRedirectUrl , encodeUrl and encodeUrl .

+13
Jun 07 '09 at 20:57
source share

Quote from the pool answer:

You can use tuckey rewrite filter.

You can disable only search using this filter, but I would advise you to use it for all answers as it is worse than just a search engine unfriendly. It provides a session identifier that can be used for specific security (more).

It is worth noting that this will still allow cookie-based sessions to be processed even if jsessionid is no longer displayed. (taken from his other post: Is it possible to disable HttpSession in web.xml? )

PS. I do not have enough reputation for comments, otherwise I would add this to my post above as a comment.

+5
Apr 14 2018-10-14T00:
source share

In Tomcat 6.0, you can use disableURLRewriting = "true" in context.xml from your / config tomcat installation path.

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

context.xml file

 <?xml version='1.0' encoding='utf-8'?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- The contents of this file will be loaded for each web application --> <Context disableURLRewriting="true"> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> <!-- Uncomment this to disable session persistence across Tomcat restarts --> <!-- <Manager pathname="" /> --> <!-- Uncomment this to enable Comet connection tacking (provides events on session expiration as well as webapp lifecycle) --> <!-- <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> --> </Context>

...

Now tomcat displays its search engine friendly ...

Enjoy

+4
Feb 25 '12 at 17:25
source share

Also, if you have Apache before Tomcat, you can disable jsession using the mod_rewrite filter.

Add the following to your apache configuration.

 #Fix up tomcat jsession appending rule issue RewriteRule ^/(.*);jsessionid=(.*) /$1 [R=301,L]

This will do 301 redirects to the page without jsessionid. Obviously, this will completely disable the jsessionid url, but this is what I need.

Cheers, Mark

+2
Dec 21 '10 at 4:30
source share

By default, cookies are enabled on the Tomcat server (you can explicitly set it using cookie = true in the server.xml element). The inclusion of cookies means that jsessionID will not be added to the URL, since the session will be controlled by cookies. However, even after cookies are enabled, the jsessionID is added to the URL for the first request, since the web server does not know at this point if cookies were enabled. To remove such jsessionIDs, you can use tuckey rewrite rules:

Further information on this can be found at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html

 <outbound-rule encodefirst="true"> <note>Remove jsessionid from embedded urls - for urls WITH query parameters</note> <from>^/(.*);jsessionid=.*[?](.*)$</from> <to encode="false">/$1?$2</to> </outbound-rule> <outbound-rule encodefirst="true"> <note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note> <from>^/(.*);jsessionid=.*[^?]$</from> <to encode="false">/$1</to> </outbound-rule>

Further information on this can be found at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html

+2
Mar 12 2018-11-11T00:
source share


More articles:


All Articles