ansaurus

Question

jsessionid is occured in all urls which are generated by jstl <c:url..> tag

Answer 1

+1 A:

This isn't a bug, it's by design. When a new session is created, the server isn't sure if the client supports cookies or not, and so it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid isn't necessary, and drops it for the rest of the session. If the client comes back with no cookie, then the server needs to continue to use jsessionid rewriting.

You may not explicitly use cookies, but you do implicitly have a session, and the container needs to track that session.

skaffman 2009-06-25 19:09:26

that's nice, but all my css look like "link rel=".." href="/mysite/css/styles.css?jsessionid=as2dfs4df". can I turn off this default behavior or it would be a bad practice and I should fix my css-loading?

Roman 2009-06-25 19:18:06

That's going to be dependent on which container you're running in

skaffman 2009-06-25 19:24:23

Answer 2

A:

Unfortunately the only way I have found around this is to add a filter to your application that will strip out the jsessionid parameter. Its particularly annoying if you are creatinga public website and want th esearch engines to index your pages.

I do not believe that tomcat (if that's what you're using) can be configured to not add this to your url. I can't say for the other servers though.

However, note that if you do create the filter and you then require session management and the user has cookies turned off you will run into problems.

Vincent Ramdhanie 2009-06-25 19:32:50

skaffman 2009-06-25 19:36:12

Actually I've made a mistake, it's not a parameter but I forgot the exactly format at that moment

Roman 2009-06-27 07:57:51

Answer 3

A:

One workaround is not to use <c:url>, but to use ${request.contextPath}/path

Bozho 2010-10-25 19:33:15

Answer 4

A:

Here's a nasty workaround in flavor of a Filter so that you will never see the jsessionid in URL whenever the client supports cookies.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;
    HttpSession session = req.getSession();

    if (session.isNew()) {
        // New session? OK, redirect to encoded URL with jsessionid in it (and implicitly also set cookie).
        res.sendRedirect(res.encodeRedirectURL(req.getRequestURI()));
        return;
    } else if (session.getAttribute("verified") == null) {
        // Session has not been verified yet? OK, mark it verified so that we don't need to repeat this.
        session.setAttribute("verified", true);
        if (req.isRequestedSessionIdFromCookie()) {
            // Supports cookies? OK, redirect to unencoded URL to get rid of jsessionid in URL.
            res.sendRedirect(req.getRequestURI().split(";")[0]);
            return;
        }
    }

    chain.doFilter(request, response);
}

Map it on /* or whatever URL pattern which require session management.

BalusC 2010-10-25 22:46:38

@BalusC: hi BalusC, thanks for the answer! I don't do web-development currently, but I'll try your solution on one of my old projects which had this problem. Could you explain a little (or give a correspondent link) the concept of encoded/not encoded URL? Why is it matter? The other thing here for which I lack knowledge to understand it is "verified" attribute for session. Who and when normally set it?

Roman 2010-10-26 06:36:10

Skaffman has answered the need for jsessionid in URL. The `verified` attribtue is just there to prevent the filter from running in an infinite loop once the cookie support has been verified. You're free to rename it to something else.

BalusC 2010-10-26 10:43:51

ansaurus

tags:

views:

answers:

jsessionid is occured in all urls which are generated by jstl <c:url..> tag

related questions