Stack Overflow
Stack Overflow

Questions tagged [jsessionid]

JSESSIONID is the name of the tracking parameter defined by the Java servlet API.

JSESSIONID is the name of the tracking parameter defined by the Java servlet API. The parameter can either be set as a cookie or as part of the url.
If a request specifies a JSESSIONID, the server will use it if it determines if it is valid. If the JSESSIONID in the request is missing or invalid, the server generates a new unique one.
Sessions can be configured to time out (usually 30 minutes) after which time the session id is no longer valid.

Related tags:

461 questions
318
votes
5 answers

Under what conditions is a JSESSIONID created?

When / what are the conditions when a JSESSIONID is created? Is it per a domain? For instance, if I have a Tomcat app server, and I deploy multiple web applications, will a different JSESSIONID be created per context (web application), or is it…
joshjdevl
  • 7,092
  • 12
  • 45
  • 57
70
votes
9 answers

Is it possible to disable jsessionid in tomcat servlet?

Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.
Roy Chan
  • 2,888
  • 6
  • 36
  • 43
60
votes
8 answers

Changing cookie JSESSIONID name

I have a requirement of having to run multiple tomcat server in single physical box. While accessing these from a browser, when user switches between the applications, it results in logging out the user previously access application. This is because…
ramanr
  • 725
  • 1
  • 8
  • 11
56
votes
3 answers

What is a "host only" cookie?

While retrieving a form auth, the browser gets a JSESSIONID cookie shown as host only. What is a host only cookie?
jacktrades
  • 7,224
  • 13
  • 56
  • 83
36
votes
7 answers

jsessionid is occurred in all urls which are generated by jstl tag

I've got some strange bug: when I open page first time in some browser all references has jsessionid parameter (like ). When I press F5 or refresh the page by any other ways all that stuff is…
Roman
  • 64,384
  • 92
  • 238
  • 332
34
votes
10 answers

how to refresh JSESSIONID cookie after login

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomcat sets this cookie when our stateless Login Page loads, but before…
Nathan Beach
  • 2,497
  • 2
  • 24
  • 25
31
votes
4 answers

Spring Security Sessions without cookies

I'm trying to manage sessions in Spring Security without leveraging cookies. The reasoning is - our application is displayed within an iframe from another domain, we need to manage sessions in our application, and Safari restricts cross-domain…
Mattiavelli
  • 888
  • 2
  • 9
  • 22
30
votes
2 answers

JSESSIONID Cookie with Expiration Date in Tomcat

What's the best way to set an expiration date for the JSESSIONID cookie sent by Tomcat for a servlet session? By default, the expiration date of the cookie seems to be 'session', which means that the session disappears in the client as soon as the…
Tim Jansen
  • 3,330
  • 2
  • 23
  • 28
28
votes
10 answers

Same-Site flag for session cookie in Spring Security

Is it possible to set Same-site Cookie flag in Spring Security? And if not, is it on a roadmap to add support, please? There is already support in some browsers (i.e. Chrome).
Tomáš Hála
  • 291
  • 1
  • 3
  • 4
27
votes
4 answers

Spring boot configure custom jsessionid for embedded server

I want to configure my servlet context, such as setting a custom jsessionId key (see Changing cookie JSESSIONID name) I believe I can use the SpringBootServletInitializer when running a WAR file, manipulating the servletContext in onStartup().…
tkruse
  • 10,222
  • 7
  • 53
  • 80
24
votes
4 answers

How to properly set JSESSIONID cookie path behind reverse proxy

My web app is running in Tomcat at http://localhost:8080/example.com/ but it is being reverse proxied from Apache that is serving up http://example.com/ on port 80. My web app looks at the request.getHeader("x-forwarded-host") header to know that…
Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
21
votes
6 answers

Logout leaves behind JSESSIONID on the browser. How to clear it?

I am using the following code for logging out a user off my system. /** * This function helps to set the session attribute for the present user to null and then * removes the attribute itself and this helps in clearing the session * @param…
Shiv Kumar Ganesh
  • 3,799
  • 10
  • 46
  • 85
20
votes
5 answers

remove jsessionid in url rewrite in spring mvc

I am using spring MVC and having a problem in jsessionid, what I found is that jsessionid is injected in the url if cookies isn't enabled in the browser producing a url like…
mmohab
  • 2,303
  • 4
  • 27
  • 43
16
votes
1 answer

How to make Spring Security OAuth2 really stateless / get rid of "state" parameter?

I'm currently working on a project where we want the user to sign in via Facebook and other OAuth2 providers. Furthermore the REST api should be stateless. Therefore no cookies/jsessionids should be created/utilized. For authorization against the…
andy
  • 1,852
  • 2
  • 20
  • 31
16
votes
2 answers

Sending cookie as request header in SOAP UI request for rest web service

I am testing a Rest API using SOAP UI tool. First, I hit another API which gave me the jSessionid and then in my actual request I added a parameter to the request header by the name "Cookie" and provide it the above extracted jsessionid value.…
Anand
  • 20,708
  • 48
  • 131
  • 198
1
2 3
30 31