Yes, this is another "JSESSIONID by URL" question, but I could not find the answer. I am running JBoss AS 7.1.1 Final, and this is my web.xml:
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <tracking-mode>COOKIE</tracking-mode> <session-timeout>30</session-timeout> </session-config> <servlet> <servlet-name>appServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>com.cgi.dk.vias.web.config.WebConfig</param-value> </init-param> <init-param> <param-name>contextClass</param-name> <param-value> org.springframework.web.context.support.AnnotationConfigWebApplicationContext </param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>appServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>
Based on an internet search and the answers here for a stack overflow (e.g., https://stackoverflow.com/a/3/4127/ ), I understand that setting <tracking-mode>COOKIE</tracking-mode> should prevent JSESSIONID from joining the URL address. However, when I browse my site with a fresh browser window (i.e. there are no existing cookies or session), all links have a JSESSIONID added to the first answer. If I refresh the page, the JSESSIONID disappears as it enters the cookie.
I understand that I can create a filter to remove it, but I would prefer to avoid html falsification if possible.
My browser supports cookies, of course, and they are included.
Is my understanding of the <tracking-mode> element unclear, or is something else happening that I am missing?
source share