开发者

Is it possible to disable jsessionid in tomcat servlet?

Is it possible to turnoff jsessionid 开发者_C百科in the url in tomcat? the jsessionid seems not too search engine friendly.


You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).

Tomcat 6 (pre 6.0.30)

You can use the tuckey rewrite filter.

Example config for Tuckey filter:

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
  <to>$1$2$3</to>
</outbound-rule>

Tomcat 6 (6.0.30 and onwards)

You can use disableURLRewriting in the context configuration to disable this behaviour.

Tomcat 7 and Tomcat 8

From Tomcat 7 onwards you can add the following in the session config.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>


 <session-config>
     <tracking-mode>COOKIE</tracking-mode>
 </session-config> 

Tomcat 7 and Tomcat 8 support the above config in your web-app web.xml, which disables URL-based sessions.


It is possible to do this in Tomcat 6.0 with: disableURLRewriting

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

e.g.

<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>

Within Tomcat 7.0, this is controlled with the following within an application: ServletContext.setSessionTrackingModes()

Tomcat 7.0 follows the Servlet 3.0 specifications.


Use a Filter on all URLs that wraps the response in a HttpServletResponseWrapper that simply returns the URL unchanged from encodeRedirectUrl, encodeRedirectURL, encodeUrl and encodeURL.


Quote from Pool's answer:

You can use the tuckey rewrite filter.

You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).

It's worth mentioning, that this will still allow cookie based session handling even though the jsessionid is not visible anymore. (taken from his other post: Can I turn off the HttpSession in web.xml?)

PS. I don't have enough reputation to comment, otherwise I would have added this to his post above as a comment.


In Tomcat 6.0 you could use disableURLRewriting="true" into context.xml from your /config path of you tomcat instalation.

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

context.xml file

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context disableURLRewriting="true">

    <!-- Default set of monitored resources -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->

    <!-- Uncomment this to enable Comet connection tacking (provides events
         on session expiration as well as webapp lifecycle) -->
    <!--
    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
    -->

</Context>

...

Now tomcat output it's search engine friendly...

Enjoy


Also if you have Apache in front of Tomcat you can strip out the jsession with a mod_rewrite filter.

Add the following to your apache config.

#Fix up tomcat jsession appending rule issue
RewriteRule  ^/(.*);jsessionid=(.*) /$1 [R=301,L]

This will do a 301 redirect to a page without the jsessionid. Obviously this will completely disable url jsessionid's but this is what I needed.

Cheers, Mark


By default, cookies are enabled in Tomcat server(you can explicitly set it by using cookies=true in element of server.xml). Enabling cookies means that jsessionID will not be appended to URL's since session will be managed using cookies. However, even after cookies are enabled, jsessionID's are appended to the URL for first request as the webserver doesn't know at that stage if cookies have been enabled. To remove such jsessionIDs, you can using tuckey rewrite rules:

You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html

<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
    <from>^/(.*);jsessionid=.*[?](.*)$</from>
    <to encode="false">/$1?$2</to>
</outbound-rule>

<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
    <from>^/(.*);jsessionid=.*[^?]$</from>
    <to encode="false">/$1</to>
</outbound-rule>

You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html


in tomcat 7 and above, you can add this in tomcat/conf/context.xml

<Context cookies="false">

to disable JSESSIONID. More on this help doc (refer cookies section).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜