8

Seems like a stupid question to which the answer would be "Don't use encodeURL()!" but I'm working with a codebase that uses netui anchor tags in the JSPs and I need to disable the writing of JSESSIONID into the URLs as it is a security risk.

In WebLogic, you can configure this by configuring url-rewriting-enabled in weblogic.xml (I know because I wrote that feature in the WebLogic server!). However, I can't find an equivalent config option for Tomcat.

skaffman
  • 398,947
  • 96
  • 818
  • 769
Alex Worden
  • 3,374
  • 6
  • 34
  • 34
  • If you consider having the session ID on the URL as a security risk, then how is relying on the same information in a cookie any less of a risk? – skaffman Feb 16 '10 at 23:16
  • 2
    One could (unawarely/accidently) copypaste an URL with `jsessionid` from address bar and give it to someone else. The other -either unawarely or awarely and with bad intents- could request the page with this URL as if it was the original user. With cookies, the `jsessionid` is not directly visible to the enduser. Also see http://en.wikipedia.org/wiki/Session_fixation – BalusC Feb 16 '10 at 23:44
  • That doesn't sound like security, that's more of a safety issue. If security against exploits is the concern, then a cookie is no more secure than a rewritten URL, surely. – skaffman Feb 16 '10 at 23:50
  • Yes, it's more a safety issue. The responsibility for security and leaks is also entirely on the client side, not on the server side. – BalusC Feb 16 '10 at 23:52
  • 1
    Another concern with session IDs in the URL are referrer URLs. If you click on a link to an external site, the old URL is sent to the new HTTP server in the Referer field, enabling a malicious target site to take over the session. Add bot-generated comment posts and your users are in danger. – xmjx Oct 15 '10 at 17:17
  • @skaffman: Cookies can be protected against client-side attacks like CSRF and XSS. The page URL cannot be protected. This is a necessary step (along with using the secure and http-only flags on the cookie) to reduce the risk of session hijacking. – Alain O'Dea Nov 27 '12 at 13:01

3 Answers3

9

Tomcat 6 supports the disableURLRewriting attribute that can be set to true in your Context element:

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html#Common_Attributes

Bart
  • 1,928
  • 2
  • 14
  • 13
  • 1
    Another property to consider is httpOnly, which prevents client-side scripts from accessing the session ID. – Alain O'Dea Nov 27 '12 at 13:19
  • If you are using http and not https and have set secure="true" on the tomcat Connector, then setting disableURLRewriting to true will not work. – yeaske Jun 10 '14 at 15:29
5

No setting comes to mind. But this is fairly easy to do by creating a first-entry Filter listening on the url-pattern of interest (maybe /* ?) and replaces the ServletResponse by a HttpServletResponseWrapper implementation where the encodeURL() returns the very same argument unmodified back.

Kickoff example:

public void doFilter(ServletRequest request, ServletResponse response) throws ServletException, IOException {
    chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response) {
        public String encodeURL(String url) {
            return url;
        }
    });
}
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • 3
    Beat me to it... remember, though, there are 4 different url-rewriting methods on the response, some or all of which might need "disabling". – skaffman Feb 16 '10 at 22:47
  • 2
    Correct. 2 of them are however deprecated (ending in `Url` instead of `URL`). The other one which you may want to override as well is the `encodeRedirectURL()`. Also see http://java.sun.com/javaee/5/docs/api/javax/servlet/http/HttpServletResponse.html#encodeRedirectURL%28java.lang.String%29 – BalusC Feb 16 '10 at 22:49
  • Thanks! That's exactly what I did for Tomcat and I can confirm that it works. – Alex Worden Feb 18 '10 at 15:47
0

As found in https://fralef.me/tomcat-disable-jsessionid-in-url.html - There is a servlet spec feature to do this

<session-config>
   <tracking-mode>COOKIE</tracking-mode>
</session-config>
Tim Funk
  • 869
  • 7
  • 11