3

So I went through the steps to build a basic roo application here: http://static.springsource.org/spring-roo/reference/html/beginning.html

I started up my server and started playing with the app, couldn't help but notice that there's a 'jsessionid' in my url:

http://localhost:8080/pizzashop/pizzas;jsessionid=0A8EA5D9E8665C8AC80F141C3818F6BA?form

I don't care for this at all! Why does it need a session id in the URL? Can I get rid of this? It does not seem RESTful to have this there.

skaffman
  • 398,947
  • 96
  • 818
  • 769
Samo
  • 8,202
  • 13
  • 58
  • 95

4 Answers4

4

This is standard JavaEE behavior, and is dictated and controlled by the servlet container. It has nothing to do with Spring.

See this previous question to find out why and when it gets created, and how to avoid it.

Community
  • 1
  • 1
skaffman
  • 398,947
  • 96
  • 818
  • 769
  • How to avoid it without disabling the session is [answered here](http://stackoverflow.com/questions/1045668/jsessionid-is-occured-in-all-urls-which-are-generated-by-jstl-curl-tag/4019476#4019476). – BalusC Nov 02 '10 at 16:18
1

I didn't see this answer in the other question so I wanted to explain it. The way sessions work in java and I think php, is when the client first comes it, it creates a cookie and appends JESSIONID to all the urls that used <c:url/> tag. The reason it does this is because the first time the client visits the page, the server has no idea if the client supports cookies. So it does both. Next time, since it sees the cookie, it will actually not use URLs anymore because it knows cookies worked.

There is a lot of ways to disable this. If you are not using sessions at all then you can disable cookies by putting cookies=false in context.xml. This only disables cookies for the session and not regular cookies. You can then use urlrewrite to stip the sessionid.

Hope that helps.

Amir Raminfar
  • 33,777
  • 7
  • 93
  • 123
0

What app server are you using? I know that Weblogic at least will always do a URL encoded session, as well as a cookie based session, on the first call at least, to see if cookies are enabled on the client. If it can't find the cookie that matches the URL session id on the next call, it will continue using the session token from the URL. I know when they switched our company over to using Sharepoint for web crawling and search the windows web guys whined for a LONG time about the issue, until they finally understood that all they had to do was turn on cookie session support.

mezmo
  • 2,441
  • 19
  • 22
0

In my case this was happening when the application was deployed on my desktop and not using https. In which case in weblogic.xml, cookie-secure should be set to false. Otherwise cookie managed session ID will only work over https. 

<wls:cookie-secure>false</wls:cookie-secure>
Paul Roub
  • 36,322
  • 27
  • 84
  • 93
Shahriar
  • 303
  • 4
  • 12