Is it possible to disable jsessionid in tomcat servlet?
Solution 1
You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).
Tomcat 6 (pre 6.0.30)
You can use the tuckey rewrite filter.
Example config for Tuckey filter:
<outbound-rule encodefirst="true">
<name>Strip URL Session ID's</name>
<from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
<to>$1$2$3</to>
</outbound-rule>
Tomcat 6 (6.0.30 and onwards)
You can use disableURLRewriting in the context configuration to disable this behaviour.
Tomcat 7 and Tomcat 8
From Tomcat 7 onwards you can add the following in the session config.
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Solution 2
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Tomcat 7 and Tomcat 8 support the above config in your web-app web.xml, which disables URL-based sessions.
Solution 3
It is possible to do this in Tomcat 6.0 with: disableURLRewriting
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
e.g.
<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>
Within Tomcat 7.0, this is controlled with the following within an application: ServletContext.setSessionTrackingModes()
Tomcat 7.0 follows the Servlet 3.0 specifications.
Solution 4
Use a Filter on all URLs that wraps the response in a HttpServletResponseWrapper that simply returns the URL unchanged from encodeRedirectUrl, encodeRedirectURL, encodeUrl and encodeURL.
Solution 5
Quote from Pool's answer:
You can use the tuckey rewrite filter.
You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).
It's worth mentioning, that this will still allow cookie based session handling even though the jsessionid is not visible anymore. (taken from his other post: Can I turn off the HttpSession in web.xml?)
PS. I don't have enough reputation to comment, otherwise I would have added this to his post above as a comment.
Roy Chan
Updated on July 05, 2022Comments
-
Roy Chan almost 2 years
Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.
-
Dan Fabulich over 14 yearsSample code is available here: randomcoder.com/articles/jsessionid-considered-harmful The server may be down; I had to fetch it out of Google's cache.
-
BalusC about 13 yearsNote that the webbrowser still needs to have cookies enabled.
-
B T over 12 yearsWhy use a rewriter when you can just not create a session cookie?
-
Pool over 11 yearsPlease see the date for this answer. Tomcat 7 and the tracking-mode feature were not available in 2009. Updated with per version information now.
-
koppor over 10 yearsDon't forget to use web-app_3.0 xsd: <web-app xmlns:xsi="w3.org/2001/XMLSchema-instance" xmlns="java.sun.com/xml/ns/javaee" xmlns:web="java.sun.com/xml/ns/javaee/web-app_3_0.xsd" xsi:schemaLocation="java.sun.com/xml/ns/javaee java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="CHANGEME" version="3.0">
-
Admin over 10 yearsTomcat 6 supports the 'disableURLRewriting' attribute on the Context element which does this. See tomcat.apache.org/tomcat-6.0-doc/config/context.html -
Pool over 10 yearsThanks, this got added in Tomcat 6.0.30. I will update the answer again.
