How can I prevent spring-security from appending ;jsessionid=XXX to login redirects?

tomcat servlets spring-security jetty

38,367

Solution 1

In Spring Security 3.0.0 M1 or newer you could set disable-url-rewriting="true" in the <http> namespace. See if that helps. Also see this feature request.

Solution 2

Now it looks like this.

<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true">

After this, your application will be unable to perform stateful jobs properly.

Solution 3

Another solution is here (for those Spring Security at all i.e. myself)

http://randomcoder.com/articles/jsessionid-considered-harmful

Creates a Servlet filter wrapper and manages handles this.

Solution 4

Since you are using jetty, simply add the following context-param tag in your web.xml,

<!-- Disables appending JSESSSIONID in browser address bar/requests -->
<context-param>
    <param-name>org.eclipse.jetty.servlet.SessionIdPathParameterName</param-name>
    <param-value>none</param-value>
</context-param>

Refer: Session Management - Jetty Doc

Solution 5

Here is how I solved this issue...

the scenario was I had a few session less and security="none" pages and upon re-direct post submission - redirect url used to get appended with ;Jsessionid= in url - ofcourse leading to errors...

Also, i couldn't add disable-url-rewriting="true" also didn't work.

What worked for me if below code in submission on form-submission

HttpSession session = request.getSession();
if (session != null) session.invalidate();

this made sure there is no active session - which ensures spring on redirect post submission doesn't need to carry session information, hence no need to add JSESSION to the url.

This was of course needed my specific case.. and cannot be used as generic solution for the whole application. Let me know if this helps you.

View more solutions

38,367

Author by

hvolmer

Updated on September 28, 2020

Comments

hvolmer almost 4 years

When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml, spring security sends an HTTP redirect to our login page (e.g. /login). That's fine.

The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a redirect that also specifies the client's new session in the URL, e.g. /login;jsessionid=8o7pglapojus.

Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we're using right now) does not -- the redirected URL comes through to our URL router completely intact (including the jsessionid "parameter"), and the named session is not associated with the /login request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login request).

We can work around this by matching /login.* in our routes, but I'm curious if there's any way to prevent the emission of the session id in the authentication redirect to begin with.
Xorty almost 12 years

@BalusC any known pre-spring 3 solution?
Nigel_V_Thomas almost 12 years

@Xorty Take a look at fralef.org/tomcat-disable-jsessionid-in-url.html, if upgrading to Spring Security 3+ isn't an option.
Sudarshan over 10 years

You mean if the client does not permit cookies, only then the application will not be able to perform state ful jobs ?