Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Boot: remove jsessionid from url

How can I remove the jsessionid from my urls?

I'm using Spring Boot MVC (without Spring Security; tomcat embedded).

I've read that It could be done by setting the disableUrlRewriting to "true". But this looks like a Spring Security solution, which I don't use (it's a simple project without login; just pages; a session-controller exists and has to be a session-controller).

I'm asking this because GoogleBot is creating urls containing the id.

EDIT: I solved it with the solution described at: https://randomcoder.org/articles/jsessionid-considered-harmful

like image 552
Kian Avatar asked Aug 03 '15 15:08

Kian


People also ask

Why is Jsessionid in URL?

The JSESSIONID is used to ensure that loadbalancers properly route communications to and from the correct client/server partners. By default, Oracle Forms requests a JSESSIONID be generated and maintained in the URL of each exchange between the client and server.

Is Jsessionid a cookie?

JSESSIONID is a cookie generated by Servlet containers and used for session management in J2EE web applications for HTTP protocol. If a Web server is using a cookie for session management, it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.

What is Jsessionid in spring?

JSESSIONID is a cookie generated by Servlet containers like Tomcat or Jetty and used for session management in the J2EE web application for HTTP protocol.

How do I store Jsessionid?

To Start off the JSESSIONID is stored in a cookie. If cookies are turned off, you have to get into url rewritting to store the jsessionid in the url. There is nothing else about the session in cookies.


2 Answers

As this question is in spring boot context, easy solution for me was:

server:
  session:
    tracking-modes: cookie

after spring 2 onwards

server:
  servlet
    session:
      tracking-modes: cookie

Added in appication.yml it modifies embedded tomcat config. From list of ll spring boot properties: https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#common-application-properties

like image 139
most_wanted Avatar answered Nov 05 '22 23:11

most_wanted


I created a quick-and-dirty spring-boot app and here's what I came up with.

The ServletInitializer that is generated, you can alter it in this fashion:

package com.division6.bootr;

import java.util.Collections;

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;

import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.web.SpringBootServletInitializer;

public class ServletInitializer extends SpringBootServletInitializer {

    @Override
    public void onStartup(ServletContext servletContext) throws ServletException {
        // This can be done here or as the last step in the method
        // Doing it in this order will initialize the Spring
        // Framework first, doing it as last step will initialize
        // the Spring Framework after the Servlet configuration is 
        // established
        super.onStartup(servletContext);

        // This will set to use COOKIE only
        servletContext
            .setSessionTrackingModes(
                Collections.singleton(SessionTrackingMode.COOKIE)
        );
        // This will prevent any JS on the page from accessing the
        // cookie - it will only be used/accessed by the HTTP transport
        // mechanism in use
        SessionCookieConfig sessionCookieConfig=
                servletContext.getSessionCookieConfig();
        sessionCookieConfig.setHttpOnly(true);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(SpringBootrApplication.class);
    }

}

AUTHOR NOTE

I am not 100% sure when this was introduced but by introducing the following parameters, the same can be accomplished without having to write code:

  • server.servlet.session.cookie.http-only=true
  • server.servlet.session.tracking-modes=cookie
like image 23
Dave G Avatar answered Nov 05 '22 22:11

Dave G