Information Technology, Tips and Tricks

Change JSESSIONID in URL parameter

Having problem with JSESSIONID in URL ?

Well, this is not a bug. When the server received a request from client, it is not sure whether the client support cookie or not. So, it generate both of them in the URL. When it comes back for second time, and the server detects the cookie is present, it will drop JSESSIONID from URL automatically. However, when the cookie is not present, the server will continue to use it.

Having JSESSIONID in URL actually is not bad at all, however it has a few drawbacks:

  • Security Risk

By exposing SESSIONID in the URL, it allows attacker to attack victim and steal some information store in the session

  • SEO

Because SESSIONID is unique, search engine both may not recognise different pages that having unique SESSIONID.

How to solve this?

There are few ways to avoid JSESSIONID in URL

  1. Implementing Servlet Filter which will disable/skip URL based on SESSION ID generation.
  2. Since Servlet 3.0, we can use SessionTrackingMode Enumeration to specify how SessionTracking should be.
    So, in web.xml we just need to add the following:
<session-config>
    <tracking-mode>COOKIE</tracking-mode>
<session-config>

 

So, who said it is difficult and complicated? Happy coding 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s