是否可以在 tomcat servlet 中禁用 jsessionid？

Question

Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.

Answer 1

You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits ( more info ).

Tomcat 6 (pre 6.0.30)

You can use the tuckey rewrite filter .

Example config for Tuckey filter:

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
  <to>$1$2$3</to>
</outbound-rule>

Tomcat 6 (6.0.30 and onwards)

You can use disableURLRewriting in the context configuration to disable this behaviour.

Tomcat 7 and Tomcat 8

From Tomcat 7 onwards you can add the following in the session config.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Answer 2

 <session-config>
     <tracking-mode>COOKIE</tracking-mode>
 </session-config> 

Tomcat 7 and Tomcat 8 support the above config in your web-app web.xml, which disables URL-based sessions.

Answer 3

It is possible to do this in Tomcat 6.0 with: disableURLRewriting

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

eg

<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>

Within Tomcat 7.0, this is controlled with the following within an application: ServletContext.setSessionTrackingModes()

Tomcat 7.0 follows the Servlet 3.0 specifications.

Answer 4

对所有将response包装在HttpServletResponseWrapper中的 URL 使用Filter ， encodeRedirectURL返回从encodeRedirectUrl 、 encodeRedirectURL 、 encodeUrl和encodeURL不变的 URL。

Answer 5

Quote from Pool's answer:

You can use the tuckey rewrite filter.

You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).

It's worth mentioning, that this will still allow cookie based session handling even though the jsessionid is not visible anymore. (taken from his other post: Can I turn off the HttpSession in web.xml? )

PS. I don't have enough reputation to comment, otherwise I would have added this to his post above as a comment.

Answer 6

In Tomcat 6.0 you could use disableURLRewriting="true" into context.xml from your /config path of you tomcat instalation.

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

context.xml file

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context disableURLRewriting="true">

    <!-- Default set of monitored resources -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->

    <!-- Uncomment this to enable Comet connection tacking (provides events
         on session expiration as well as webapp lifecycle) -->
    <!--
    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
    -->

</Context>

...

Now tomcat output it's search engine friendly...

Enjoy

Answer 7

Also if you have Apache in front of Tomcat you can strip out the jsession with a mod_rewrite filter.

Add the following to your apache config.

#Fix up tomcat jsession appending rule issue
RewriteRule  ^/(.*);jsessionid=(.*) /$1 [R=301,L]

This will do a 301 redirect to a page without the jsessionid. Obviously this will completely disable url jsessionid's but this is what I needed.

Cheers, Mark

Answer 8

By default, cookies are enabled in Tomcat server(you can explicitly set it by using cookies=true in element of server.xml). Enabling cookies means that jsessionID will not be appended to URL's since session will be managed using cookies. However, even after cookies are enabled, jsessionID's are appended to the URL for first request as the webserver doesn't know at that stage if cookies have been enabled. To remove such jsessionIDs, you can using tuckey rewrite rules:

You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html

<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
    <from>^/(.*);jsessionid=.*[?](.*)$</from>
    <to encode="false">/$1?$2</to>
</outbound-rule>

<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
    <from>^/(.*);jsessionid=.*[^?]$</from>
    <to encode="false">/$1</to>
</outbound-rule>

You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html

Answer 9

in tomcat 7 and above, you can add this in tomcat/conf/context.xml

<Context cookies="false">

to disable JSESSIONID. More on this help doc (refer cookies section).