Disabling ;jsessionid url-appending Servlet 3.0

9 Mar
2010

I’ve noticed that google indexed various pages of mine with appended “;jsessionid=somehash”
Thats not only ugly, but also a security risk.

But how to disable Session Tracking by URL? How to set it to Cookie only ?

Take this!

Update: Jan Luehe showed me a way, how to do this in web.xml only – without a listener

 
    
COOKIE
URL
SSL

if you prefer to do it programmatically (e.g. when doing a custom web-app configuration wizzard or something like this), do it this way:

package com.dominikdorn.dc.listeners;

import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.SessionTrackingMode;
import javax.servlet.annotation.WebListener;
import java.util.HashSet;
import java.util.Set;

/**
 * This Listener sets the tracking modes used by the servletContext
 */
@WebListener(value = "This listener sets the session tracking modes")
public class SetSessionTrackingModeListener implements ServletContextListener {

    // Public constructor is required by servlet spec

    public SetSessionTrackingModeListener() {
    }

    public void contextInitialized(ServletContextEvent sce) {
        Set modes = new HashSet();
        // modes.add(SessionTrackingMode.URL); // thats the default behaviour!
        modes.add(SessionTrackingMode.COOKIE);
//        modes.add(SessionTrackingMode.SSL); // this works only with client certs.
        sce.getServletContext().setSessionTrackingModes(modes);
    }

    public void contextDestroyed(ServletContextEvent sce) {
    }

}

Questions? Comments? Post them here!

In: Java|JavaEE6

dominikdorn.com

Search

Categories

Archives

Disabling ;jsessionid url-appending Servlet 3.0

Comment Form