Hi Gurus,
Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.
Please Advise Thanks
+6
A:
You can use the tuckey rewrite filter.
You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).
Example config for Tuckey filter:
<outbound-rule encodefirst="true">
<name>Strip URL Session ID's</name>
<from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from>
<to>$1$2$3</to>
</outbound-rule>
Pool
2009-06-07 20:33:05
+4
A:
Use a Filter on all URLs that wraps the response in a HttpServletResponseWrapper that simply returns the URL unchanged from encodeRedirectUrl, encodeRedirectURL, encodeUrl and encodeURL.
Andrew Duffy
2009-06-07 20:57:53
Sample code is available here: http://randomcoder.com/articles/jsessionid-considered-harmfulThe server may be down; I had to fetch it out of Google's cache.
Dan Fabulich
2009-12-01 19:07:40
I liked this approach.
vsingh
2010-08-13 18:06:30
+2
A:
Quote from Pool's answer:
You can use the tuckey rewrite filter.
You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).
It's worth mentioning, that this will still allow cookie based session handling even though the jsessionid is not visible anymore. (taken from his other post: http://stackoverflow.com/questions/2255814/can-i-turn-off-the-httpsession-in-web-xml/2256061#2256061)
PS. I don't have enough reputation to comment, otherwise I would have added this to his post above as a comment.
Andreas
2010-04-14 07:34:49