Is it possible to disable jsessionid in tomcat servlet?

By | August 13, 2019

Question

Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.

Solution

You can disable for just search engines using this filter, but I’d advise using it for all responses as it’s worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).

Tomcat 6 (pre 6.0.30)

You can use the tuckey rewrite filter.

Example config for Tuckey filter:

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:;jsessionid=[^?#]*)?(?[^#]*)?(#.*)?$</from>
  <to>$1$2$3</to>
</outbound-rule>

Tomcat 6 (6.0.30 and onwards)

You can use disableURLRewriting in the context configuration to disable this behaviour.

Tomcat 7 and Tomcat 8

From Tomcat 7 onwards you can add the following in the session config.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Rate this post

Leave a Reply

Your email address will not be published. Required fields are marked *