Remove jsessionid from wicket6/glassfish4 application

Question

I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in. This is to avoid the problem of Session Fixation. I used the replaceSession() method (from the wicket Session class), which does a destroy() and a bind(). replaceSession(). It seems to do the trick as the session id does indeed change. The problem is that now we see a jsessionid in the url everytime we initially log on. The id goes away after you log in and only appears on the initial launch.

My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes? Any advice would be greatly appreciated.

Possibly similar question (about JSESSIONID - not wicket) is asked here: http://stackoverflow.com/questions/1045668/jsessionid-is-occured-in-all-urls-which-are-generated-by-jstl-curl-tag — Mihir, Dec 04 '15 at 18:55

score 0 · Answer 1 · answered Dec 06 '15 at 20:18

0

Use

<session-config>
   <tracking-mode>COOKIE</tracking-mode>
</session-config>

in your web.xml.

answered Dec 06 '15 at 20:18

martin-g

17,243
2
23
35

That only works if you are using servlet 3.0. We are not there yet. – Lois Greene-Hernandez Dec 07 '15 at 14:38
Glassfish4 should be even Servlet 3.1. See http://stackoverflow.com/questions/30777179/how-to-find-servlet-api-version-for-glassfish-server – martin-g Dec 07 '15 at 15:25

Remove jsessionid from wicket6/glassfish4 application

1 Answers1