Is it possible to disable jsessionid in tomcat servlet?
Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.
You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).
Tomcat 6 (pre 6.0.30)
You can use the tuckey rewrite filter.
Example config for Tuckey filter:
<outbound-rule encodefirst="true">
<name>Strip URL Session ID's</name>
<from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
<to>$1$2$3</to>
</outbound-rule>
Tomcat 6 (6.0.30 and onwards)
You can use disableURLRewriting in the context configuration to disable this behaviour.
Tomcat 7 and Tomcat 8
From Tomcat 7 onwards you can add the following in the session config.
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Tomcat 7 and Tomcat 8 support the above config in your web-app web.xml, which disables URL-based sessions.
It is possible to do this in Tomcat 6.0 with: disableURLRewriting
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
e.g.
<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>
Within Tomcat 7.0, this is controlled with the following within an application: ServletContext.setSessionTrackingModes()
Tomcat 7.0 follows the Servlet 3.0 specifications.
Use a Filter
on all URLs that wraps the response
in a HttpServletResponseWrapper
that simply returns the URL unchanged from encodeRedirectUrl
, encodeRedirectURL
, encodeUrl
and encodeURL
.
Quote from Pool's answer:
You can use the tuckey rewrite filter.
You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).
It's worth mentioning, that this will still allow cookie based session handling even though the jsessionid is not visible anymore. (taken from his other post: Can I turn off the HttpSession in web.xml?)
PS. I don't have enough reputation to comment, otherwise I would have added this to his post above as a comment.