How to prevent the JSESSIONID showing in the URL

Question

I have created an login page in servlet using Google Datastore, it is working fine. but sometimes its showing the JSESSIONID in the URL.

How can I prevent the JSESSIONID sending through the URL? why its passing through the URL instead of request message?

score 5 · Answer 1 · answered Jun 23 '17 at 04:57

5

Add the following entry in your web.xml.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

This will instruct the container that the client supports cookies and hence there is no need to put the JSessionId in the URL.

answered Jun 23 '17 at 04:57

VHS

Kohei TAMURA · Answer 2 · 2017-06-23T08:27:10.043

3

Are you using response.encodeURL()? If so, try to remove it or disable "URL Rewriting" and check the URL.

See also:

Additional information:

response.encodeURL(URL) adds ;jsessionid=xxxx... to URL. To disable this(="URL Rewriting"),

Tomcat 7.0 or later:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

Tomcat 6.0:

<Context disableURLRewriting="true" ...

edited Jun 23 '17 at 08:27

answered Jun 23 '17 at 04:46

Kohei TAMURA

No I am not using `response.encodeURL()`, – Prakash Jun 23 '17 at 05:56
You should *always* use `response.encodeURL` (or `response.encodeRedirectURL` if appropriate). If you want to disable sessions, use the configuration instead of breaking your application by not following the rules. – Christopher Schultz Apr 26 '18 at 13:13

2 Answers2