DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • WireMock: The Ridiculously Easy Way (For Spring Microservices)
  • What Is JHipster?
  • The Role of AI and Programming in the Gaming Industry: A Look Beyond the Tables
  • VPN Architecture for Internal Networks

Trending

  • WireMock: The Ridiculously Easy Way (For Spring Microservices)
  • What Is JHipster?
  • The Role of AI and Programming in the Gaming Industry: A Look Beyond the Tables
  • VPN Architecture for Internal Networks
  1. DZone
  2. Coding
  3. Java
  4. Java jsessionid in URL

Java jsessionid in URL

Artur Mkrtchyan user avatar by
Artur Mkrtchyan
·
Feb. 21, 12 · Interview
Like (2)
Save
Tweet
Share
81.19K Views

Join the DZone community and get the full member experience.

Join For Free

Today developers are using JSTL to write clean jsp code.
Let's talk about JSTL's url tag <c:url ...> .

People are complaining that whenever they using <c:url ... > all links on their site contain strange a jsessionid parameter and it disappears after refreshing the page. 

Some of them think that this is a bug.

This isn't a bug, whenever a new session is created, the server isn't sure if the client supports cookies or not, and it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid isn't necessary, and drops it. If the client comes back with no cookie, then the server needs to continue to use jsessionid rewriting in url. 

But nowdays it's really hard to imagine clients/users without cookie support. 

While whole web applications works fine with this behaviour jsessionid parameter might be problem for your application SEO and security.

SEO Impact

Some search engines may penalizes sites which have identical content available from multiple, unique URLs. Because sessionid is unique, multiple visits by the same search bot will return identical content with different URLs. 

This is a problem, let's try to search for inurl:;jsessionid in URLs and we will see around 620 million results.

Security Risk

It's not an invention that including SessionID in the URL, allows attackers potentially hack a victim.

Now let's solve this issues

Unfortunately Servlet Specification and Servlet Containers does not provide a standard way to disable the use of URL-based sessions.  

The solution/workaround is to create a servlet filter which will disable/skip url based sessionid generation. 

package my.package.web.filter;

import java.io.IOException;
import javax.servlet.*;
import javax.servlet.http.*;

public class URLSessionFilter implements Filter {

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
if (!(request instanceof HttpServletRequest)) {
chain.doFilter(request, response);
return;
}

HttpServletResponse httpResponse = (HttpServletResponse) response;

HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) {
public String encodeRedirectUrl(String url) {
return url;
}

public String encodeRedirectURL(String url) {
return url;
}

public String encodeUrl(String url) {
return url;
}

public String encodeURL(String url) {
return url;
}
};
chain.doFilter(request, wrappedResponse);
}

public void init(FilterConfig filterConfig) {
}

public void destroy() {
}
}

 


To disable default URL encoding functionality, we need to wrap HttpServletResponse instance. The Java Servlet API provides wrapper called HttpServletResponseWrapper.

Servlet filter is ready, now we need to tell servlet container about it. We need to add the following to the web.xml: 

<filter>    
<filter-name>URLSessionFilter</filter-name>
<filter-class>my.package.web.filter.URLSessionFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>URLSessionFilter</filter-name>    
<url-pattern>/*</url-pattern>
</filter-mapping>

 

Who said this was difficult? That's all enjoy coding. 

 

Java (programming language)

Opinions expressed by DZone contributors are their own.

Trending

  • WireMock: The Ridiculously Easy Way (For Spring Microservices)
  • What Is JHipster?
  • The Role of AI and Programming in the Gaming Industry: A Look Beyond the Tables
  • VPN Architecture for Internal Networks

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: