Yes, this is another "JSESSIONID in URL" question, but I haven't been able to find an answer. I'm running JBoss AS 7.1.1 Final and this is my web.xml:
<web-app version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<cookie-config>
<!-- Prevents session cookie from being read by clientside scripts -->
<http-only>true</http-only>
<!-- Prevents the session cookie from being transmitted on HTTP -->
<!-- secure>true</secure-->
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
<session-timeout>30</session-timeout>
</session-config>
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>com.cgi.dk.vias.web.config.WebConfig</param-value>
</init-param>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
Based on internet search and answers here on Stack Overflow (e.g. https://stackoverflow.com/a/11350819/224143), it is my understanding that setting <tracking-mode>COOKIE</tracking-mode>
should prevent JSESSIONID from being appended to URLs. However, when I browse to my site with a fresh browser window (i.e. no existing cookies or session), all links have JSESSIONID appended in the first response. If i refresh the page, the JSESSIONID disappears, since it goes into the cookie.
I understand that I can create a filter to remove it, but I'd rather avoid tampering with the html if possible.
My browser supports cookies, of course, and they are enabled.
Is my understanding of the <tracking-mode>
element wrong, or is there something else going on that I'm missing?
If you are using spring security, then you should try setting disable-url-rewriting attribute of <http>
element to true.
Regards,
I know this is a 3 years old post but it looks like this is a known bug in Jboss since 7.1.0
https://issues.jboss.org/browse/JBWEB-249?_sscc=t
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With