0

I have developed a simple website, without any security feature. The only feature it has is locale, which helps user to visit website in different languages. My question is that why the jsessionid will be added to the website address ? I know it is used to track users but how to remove it from website address?

For example 

http://mywebsite.com/mywebsite/info.html;jsessionid=AE7AAI54A7ECS5155A5541BEFA7CFA58

There is an answer to this question here but I do not know where I should use the suggested code and what does that do ?

Community
  • 1
  • 1
J888
  • 1,944
  • 8
  • 42
  • 76
  • You have a tag but didn't mention in your text: Are you using JSP for your rendering? JSP always forces a session open, even if there's no particularly good reason for it, and using a simpler alternative like [Thymeleaf](http://www.thymeleaf.org/) might be the easiest solution. – chrylis -cautiouslyoptimistic- Oct 15 '13 at 00:47
  • http://stackoverflow.com/questions/11327631/remove-jsessionid-from-url – srkavin Oct 15 '13 at 00:48
  • absolutely, that's why I added it as a tag. – J888 Oct 15 '13 at 00:48
  • 1
    You may also try the `<%@ page session="false" %>` directive. @srkavin, that will work around the problem, but if there's no need to create the session, it's best to suppress it in the first place. – chrylis -cautiouslyoptimistic- Oct 15 '13 at 00:48
  • how about if I use spring security, does deactivating session affect that in anyway? – J888 Oct 15 '13 at 00:54
  • Yes, spring-security almost always needs a session, so you cannot deactivate it. You can try to configure your servlet-container (Tomcat?) to disable jsessionid in URLs and use only cookies for storing and sending the jsessionid. – Sorin Postelnicu Jan 22 '20 at 10:11

0 Answers0