12

I notice that the first time a user visits my site the Wicket-generated URLs contain a jsessionid, rather than relying on the cookie for session information.

The cookie does get set successfully, and if the user simply reloads the page, the jsessionid is no longer appended to the URLs. You can test this out here: pixlshare.com. Hovering over any of the image links will show a URL with a jsessionid; reload the page, and the jsessionids will be removed.

From previous experience with the Wicket SEO page I know how to remove the jsessionid to hide it from bots, but employing this technique for regular users seems like a hack. It will also break the site for those people paranoid enough to have cookies disabled.

This is happening after a recent move to Tomcat from Glassfish, though I can't say for certain that that's the cause. Also, I'm using Apache's mod_proxy in front of Tomcat.

Touko
  • 11,359
  • 16
  • 75
  • 105
George Armhold
  • 30,824
  • 50
  • 153
  • 232

1 Answers1

20

Here's what happens: the client requests a page for the first time, sending no cookies at all:

$ curl -v http://pixlshare.com/upload

The server does not know anything about client capabilities based on this request, in particular whether it supports cookies or not. Hence, to be extra safe, it sends both cookie and JSESSIONID encoded in the URL:

< Set-Cookie: JSESSIONID=25E7A6C27095CA1F560BCB2983BED17C; Path=/; HttpOnly
...
<a wicket:id="image1Link" href="gallery/OKfzVk;jsessionid=25E7A6C27095CA1F560BCB2983BED17C">

In other words the servlet container defensively appends JSESSIONID to every URL, just in case the client does not support cookies.

So why the JSESSIONID disappears on the second request? Because now the client sends the cookie in HTTP request and the server knows, that the client handles them. That being said, JSESSIONID is no longer needed.

$ curl -v -b JSESSIONID=25E7A6C27095CA1F560BCB2983BED17C http://pixlshare.com/upload
> Cookie: JSESSIONID=25E7A6C27095CA1F560BCB2983BED17C
...
<a wicket:id="image1Link" href="gallery/OKfzVk">

On the other hand if the client does not support cookies, server will continue to rewrite URLs.

This is not a Wicket issue, this is a Tomcat feature.

BTW (from your website JavaScript):

path = path.replace(/^C:\\fakepath\\/i, '');

What the f...ake?

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
  • Many browsers will provide "C:\fakepath\your_file.jpg" as the reported filename when you do an upload. The JS is just stripping that out so that the last portion of the filename is displayed prior to upload. The intention is to show the users the filename (without path) so that they could see that they were uploading FOO.jpg and not BAR.jpg. Nothing nefarious. :-) – George Armhold Jul 24 '11 at 17:58
  • I get why Tomcat is doing this, but why didn't I have this issue with Glassfish? – George Armhold Jul 24 '11 at 18:10
  • Ah, I take my comment back. I just checked another site running on Glassfish, and after clearing my cookies for that site, I got the jsessionids. – George Armhold Jul 24 '11 at 21:05
  • And the answer to "how do I disable it in Spring Boot web application" is "set `server.servlet.session.tracking-modes=cookie` to application properties." – Torben May 18 '21 at 10:18