Is it possible to disable jsessionid in tomcat servlet?

by

You can disable for just search engines using this filter, but I’d advise using it for all responses as it’s worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).

Tomcat 6 (pre 6.0.30)

You can use the tuckey rewrite filter.

Example config for Tuckey filter:

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
  <to>$1$2$3</to>
</outbound-rule>

Tomcat 6 (6.0.30 and onwards)

You can use disableURLRewriting in the context configuration to disable this behaviour.

Tomcat 7 and Tomcat 8

From Tomcat 7 onwards you can add the following in the session config.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

More Related Contents:

  1. Tomcat 10.0.4 doesn’t load servlets (@WebServlet classes) with 404 error [duplicate]
  2. What is recommended way for spawning threads from a servlet in Tomcat
  3. How to set request encoding in Tomcat?
  4. Unable to compile class for JSP: The type java.util.Map$Entry cannot be resolved. It is indirectly referenced from required .class files
  5. Sharing session data between contexts in Tomcat
  6. How to configure Tomcat to connect with MySQL
  7. Mapping a specific servlet to be the default servlet in Tomcat
  8. _jspService is exceeding the 65535 bytes limit
  9. how to get a client’s MAC address from HttpServlet?
  10. Session is lost and created as new in every servlet request
  11. Spring – Injecting a dependency into a ServletContextListener
  12. java.lang.NoClassDefFoundError: javax/servlet/http/HttpServletRequest
  13. Exposing resources from jar files in web applications (Tomcat7)
  14. Embedded tomcat 7 servlet 3.0 annotations not working
  15. How to invoke a servlet without mapping in web.xml?
  16. Is there a url rewriting engine for Tomcat/Java?
  17. Can I serve JSPs from inside a JAR in lib, or is there a workaround?
  18. Detecting client disconnect in tomcat servlet?
  19. How to call a method before the session object is destroyed?
  20. How to store a file on a server(web container) through a Java EE web application?
  21. How to add response headers based on Content-type; getting Content-type before the response is committed
  22. Tomcat VS Jetty [closed]
  23. The import javax.servlet can’t be resolved [duplicate]
  24. Tomcat 7.0.43 “INFO: Error parsing HTTP request header”
  25. How do I send an e-mail in Java?
  26. HTTP Status 500 – Error instantiating servlet class pkg.coreServlet
  27. Disable all default HTTP error response content in Tomcat
  28. “Not allowed to load local resource: file:///C:….jpg” Java EE Tomcat
  29. Managing webapp session data/controller flow for multiple tabs
  30. How to deploy a Java Web Application (.war) on tomcat?

Leave a Comment