Having problem with JSESSIONID in URL ?
Well, this is not a bug. When the server received a request from client, it is not sure whether the client support cookie or not. So, it generate both of them in the URL. When it comes back for second time, and the server detects the cookie is present, it will drop JSESSIONID from URL automatically. However, when the cookie is not present, the server will continue to use it.
Having JSESSIONID in URL actually is not bad at all, however it has a few drawbacks:
- Security Risk
By exposing SESSIONID in the URL, it allows attacker to attack victim and steal some information store in the session
Because SESSIONID is unique, search engine both may not recognise different pages that having unique SESSIONID.
How to solve this?
There are few ways to avoid JSESSIONID in URL
- Implementing Servlet Filter which will disable/skip URL based on SESSION ID generation.
- Since Servlet 3.0, we can use SessionTrackingMode Enumeration to specify how SessionTracking should be.
So, in web.xml we just need to add the following:
<session-config> <tracking-mode>COOKIE</tracking-mode> <session-config>
So, who said it is difficult and complicated? Happy coding 🙂