How to Disable Jsessionid in Tomcat Servlet

Is it possible to disable jsessionid in tomcat servlet?

You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).

Tomcat 6 (pre 6.0.30)

You can use the tuckey rewrite filter.

Example config for Tuckey filter:

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
  <to>$1$2$3</to>
</outbound-rule>

Tomcat 6 (6.0.30 and onwards)

You can use disableURLRewriting in the context configuration to disable this behaviour.

Tomcat 7 and Tomcat 8

From Tomcat 7 onwards you can add the following in the session config.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

How to disable JSESSIONID cookie-based (and any else) session-tracking features in jetty 9?

With servlet 3 it is possible to set session tracking mode as a part of servlet registration - ServletContext#setSessionTrackingModes... you can try that.

However in your case I would investigate who is calling HttpServletRequest#getSession(...). Put breakpoint in this method to see who is calling it. Some piece of code in your application is initializing session.

How to Disable Jsessionid in Tomcat Servlet

Is it possible to disable jsessionid in tomcat servlet?

How to disable JSESSIONID cookie-based (and any else) session-tracking features in jetty 9?

Related Topics

Leave a reply