Disabling ;jsessionid url-appending Servlet 3.0

9 Mar
2010

I’ve noticed that google indexed various pages of mine with appended “;jsessionid=somehash”
Thats not only ugly, but also a security risk.

But how to disable Session Tracking by URL? How to set it to Cookie only ?

Take this!

Update: Jan Luehe showed me a way, how to do this in web.xml only – without a listener

1
2
3
4
5
6
7

 <web-app ...>
    <session-config>
        <tracking-mode>COOKIE</tracking-mode>
        <tracking-mode>URL</tracking-mode>
       <tracking-mode>SSL</tracking-mode>
    </session-config>
 </web-app>

if you prefer to do it programmatically (e.g. when doing a custom web-app configuration wizzard or something like this), do it this way:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

package com.dominikdorn.dc.listeners;
 
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.SessionTrackingMode;
import javax.servlet.annotation.WebListener;
import java.util.HashSet;
import java.util.Set;
 
/**
 * This Listener sets the tracking modes used by the servletContext
 */
@WebListener(value = "This listener sets the session tracking modes")
public class SetSessionTrackingModeListener implements ServletContextListener {
 
    // Public constructor is required by servlet spec
 
    public SetSessionTrackingModeListener() {
    }
 
    public void contextInitialized(ServletContextEvent sce) {
        Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
        // modes.add(SessionTrackingMode.URL); // thats the default behaviour!
        modes.add(SessionTrackingMode.COOKIE);
//        modes.add(SessionTrackingMode.SSL); // this works only with client certs.       
        sce.getServletContext().setSessionTrackingModes(modes);
    }
 
    public void contextDestroyed(ServletContextEvent sce) {
    }
 
}

Questions? Comments? Post them here!

Comment Form

top