Is it possible to disable jsessionid in tomcat servlet?
JavaTomcatServletsJsessionidJava Problem Overview
Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.
Java Solutions
Solution 1 - Java
You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (http://randomcoder.com/articles/jsessionid-considered-harmful">more info).
Tomcat 6 (pre 6.0.30)
You can use the http://tuckey.org/urlrewrite/">tuckey rewrite filter.
http://urlrewritefilter.googlecode.com/svn/trunk/src/doc/manual/3.2/guide.html">Example config for Tuckey filter:
<outbound-rule encodefirst="true">
<name>Strip URL Session ID's</name>
<from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
<to>$1$2$3</to>
</outbound-rule>
Tomcat 6 (6.0.30 and onwards)
You can use disableURLRewriting in the context configuration to disable this behaviour.
Tomcat 7 and Tomcat 8
From Tomcat 7 onwards you can add the following in the session config.
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Solution 2 - Java
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Tomcat 7 and Tomcat 8 support the above config in your web-app web.xml, which disables URL-based sessions.
Solution 3 - Java
It is possible to do this in Tomcat 6.0 with: disableURLRewriting
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
e.g.
<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>
Within Tomcat 7.0, this is controlled with the following within an application: ServletContext.setSessionTrackingModes()
Tomcat 7.0 follows the Servlet 3.0 specifications.
Solution 4 - Java
Use a Filter
on all URLs that wraps the response
in a HttpServletResponseWrapper
that simply returns the URL unchanged from encodeRedirectUrl
, encodeRedirectURL
, encodeUrl
and encodeURL
.
Solution 5 - Java
Quote from Pool's answer: > You can use the tuckey rewrite filter. > > You can disable for just search > engines using this filter, but I'd > advise using it for all responses as > it's worse than just search engine > unfriendly. It exposes the session ID > which can be used for certain security > exploits (more info).
It's worth mentioning, that this will still allow cookie based session handling even though the jsessionid is not visible anymore. (taken from his other post: https://stackoverflow.com/questions/2255814/can-i-turn-off-the-httpsession-in-web-xml/2256061#2256061)
PS. I don't have enough reputation to comment, otherwise I would have added this to his post above as a comment.
Solution 6 - Java
In Tomcat 6.0 you could use disableURLRewriting="true" into context.xml from your /config path of you tomcat instalation.
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
context.xml file
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context disableURLRewriting="true">
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
<!-- Uncomment this to enable Comet connection tacking (provides events
on session expiration as well as webapp lifecycle) -->
<!--
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
</Context>
...
Now tomcat output it's search engine friendly...
Enjoy
Solution 7 - Java
Also if you have Apache in front of Tomcat you can strip out the jsession with a mod_rewrite filter.
Add the following to your apache config.
#Fix up tomcat jsession appending rule issue
RewriteRule ^/(.*);jsessionid=(.*) /$1 [R=301,L]
This will do a 301 redirect to a page without the jsessionid. Obviously this will completely disable url jsessionid's but this is what I needed.
Cheers, Mark
Solution 8 - Java
By default, cookies are enabled in Tomcat server(you can explicitly set it by using cookies=true in
You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html
<outbound-rule encodefirst="true">
<note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
<from>^/(.*);jsessionid=.*[?](.*)$</from>
<to encode="false">/$1?$2</to>
</outbound-rule>
<outbound-rule encodefirst="true">
<note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
<from>^/(.*);jsessionid=.*[^?]$</from>
<to encode="false">/$1</to>
</outbound-rule>
You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html
Solution 9 - Java
in tomcat 7 and above, you can add this in tomcat/conf/context.xml
<Context cookies="false">
to disable JSESSIONID. More on this help doc (refer cookies section).