Java jsessionid in URL

People are complaining that whenever they using <c:url ... > all links on their site contain strange a jsessionid parameter and it disappears after refreshing the page. 

Some of them think that this is a bug.

This isn't a bug, whenever a new session is created, the server isn't sure if the client supports cookies or not, and it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid isn't necessary, and drops it. If the client comes back with no cookie, then the server needs to continue to use jsessionid rewriting in url. 

While whole web applications works fine with this behaviour jsessionid parameter might be problem for your application SEO and security.

SEO Impact

Some search engines may penalizes sites which have identical content available from multiple, unique URLs. Because sessionid is unique, multiple visits by the same search bot will return identical content with different URLs. 

This is a problem, let's try to search for inurl:;jsessionid in URLs and we will see around 620 million results.

Security Risk

It's not an invention that including SessionID in the URL, allows attackers potentially hack a victim.

Now let's solve this issues

Unfortunately Servlet Specification and Servlet Containers does not provide a standard way to disable the use of URL-based sessions.  

The solution/workaround is to create a servlet filter which will disable/skip url based sessionid generation. 

package my.package.web.filter;

import java.io.IOException;
import javax.servlet.*;
import javax.servlet.http.*;

public class URLSessionFilter implements Filter {

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
if (!(request instanceof HttpServletRequest)) {
chain.doFilter(request, response);
return;
}

HttpServletResponse httpResponse = (HttpServletResponse) response;

HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) {
public String encodeRedirectUrl(String url) {
return url;
}

public String encodeRedirectURL(String url) {
return url;
}

public String encodeUrl(String url) {
return url;
}

public String encodeURL(String url) {
return url;
}
};
chain.doFilter(request, wrappedResponse);
}

public void init(FilterConfig filterConfig) {
}

public void destroy() {
}
}

To disable default URL encoding functionality, we need to wrap HttpServletResponse instance. The Java Servlet API provides wrapper called HttpServletResponseWrapper.

Servlet filter is ready, now we need to tell servlet container about it. We need to add the following to the web.xml: 

<filter>    
<filter-name>URLSessionFilter</filter-name>
<filter-class>my.package.web.filter.URLSessionFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>URLSessionFilter</filter-name>    
<url-pattern>/*</url-pattern>
</filter-mapping>

Who said this was difficult? That's all enjoy coding.