JBoss 7 appends JSESSIONID to URL despite tracking-mode cookie

java jboss jboss7.x servlet-3.0 jsessionid

11,113

Solution 1

If you are using spring security, then you should try setting disable-url-rewriting attribute of <http> element to true.

Regards,

Solution 2

I know this is a 3 years old post but it looks like this is a known bug in Jboss since 7.1.0

https://issues.jboss.org/browse/JBWEB-249?_sscc=t

11,113

Author by

Morten Jacobsen

Updated on June 28, 2022

Comments

Morten Jacobsen almost 2 years
Yes, this is another "JSESSIONID in URL" question, but I haven't been able to find an answer. I'm running JBoss AS 7.1.1 Final and this is my web.xml:
```
<web-app version="3.0"
  xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
    http://java.sun.com/xml/ns/javaee
    http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <session-config>
        <cookie-config>
            
            <http-only>true</http-only>
            
            
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
        <session-timeout>30</session-timeout>
    </session-config>

    <servlet>
        <servlet-name>appServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>com.cgi.dk.vias.web.config.WebConfig</param-value>
        </init-param>
        <init-param>
        <param-name>contextClass</param-name>
        <param-value>
            org.springframework.web.context.support.AnnotationConfigWebApplicationContext
        </param-value>
    </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>appServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>
```
Based on internet search and answers here on Stack Overflow (e.g. https://stackoverflow.com/a/11350819/224143), it is my understanding that setting <tracking-mode>COOKIE</tracking-mode> should prevent JSESSIONID from being appended to URLs. However, when I browse to my site with a fresh browser window (i.e. no existing cookies or session), all links have JSESSIONID appended in the first response. If i refresh the page, the JSESSIONID disappears, since it goes into the cookie.

I understand that I can create a filter to remove it, but I'd rather avoid tampering with the html if possible.

My browser supports cookies, of course, and they are enabled.

Is my understanding of the <tracking-mode> element wrong, or is there something else going on that I'm missing?
- Nate about 9 years
  
  Did you ever figure this out?
- Morten Jacobsen about 9 years
  
  Well, it seems to be resolved, but I'm not sure exactly why - my web.xml still looks like the above and I didn't introduce filters or the like to deal with it. I Do use Spring security as suggested by the answer below, but I use java-based config, and haven't explicitly set disableUrlRewriting. If the problem does stem from Spring Security, its likely that the property is set by default or I've upgraded it to a newer version without the problem. I've also added a Valve to deal with single signon but I'm not sure if that's relevant. Unfortunately I don't have a clear answer.
- David Balažic about 9 years
  
  I have the same problem. When run in Tomcat7, the option works and the does not have the session id, but when deployed to JBoss7.1.1 the option seems ignored. I also use Spring 3.0.x.
- David Balažic about 9 years
  
  Apparently it is a bug in JBoss 7.x, tracking-mode setting is ignored: issues.jboss.org/browse/JBWEB-249 (fixed right after v7.1.3 was "released", well ... tagged) A workaround that worked for me was this answer