How can I remove the jsessionid from my urls?
I'm using Spring Boot MVC (without Spring Security; tomcat embedded).
I've read that It could be done by setting the disableUrlRewriting to "true". But this looks like a Spring Security solution, which I don't use (it's a simple project without login; just pages; a session-controller exists and has to be a session-controller).
I'm asking this because GoogleBot is creating urls containing the id.
EDIT: I solved it with the solution described at: https://randomcoder.org/articles/jsessionid-considered-harmful
The JSESSIONID is used to ensure that loadbalancers properly route communications to and from the correct client/server partners. By default, Oracle Forms requests a JSESSIONID be generated and maintained in the URL of each exchange between the client and server.
JSESSIONID is a cookie generated by Servlet containers and used for session management in J2EE web applications for HTTP protocol. If a Web server is using a cookie for session management, it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.
JSESSIONID is a cookie generated by Servlet containers like Tomcat or Jetty and used for session management in the J2EE web application for HTTP protocol.
To Start off the JSESSIONID is stored in a cookie. If cookies are turned off, you have to get into url rewritting to store the jsessionid in the url. There is nothing else about the session in cookies.
As this question is in spring boot context, easy solution for me was:
server:
session:
tracking-modes: cookie
after spring 2 onwards
server:
servlet
session:
tracking-modes: cookie
Added in appication.yml it modifies embedded tomcat config. From list of ll spring boot properties: https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#common-application-properties
I created a quick-and-dirty spring-boot app and here's what I came up with.
The ServletInitializer that is generated, you can alter it in this fashion:
package com.division6.bootr;
import java.util.Collections;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.web.SpringBootServletInitializer;
public class ServletInitializer extends SpringBootServletInitializer {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
// This can be done here or as the last step in the method
// Doing it in this order will initialize the Spring
// Framework first, doing it as last step will initialize
// the Spring Framework after the Servlet configuration is
// established
super.onStartup(servletContext);
// This will set to use COOKIE only
servletContext
.setSessionTrackingModes(
Collections.singleton(SessionTrackingMode.COOKIE)
);
// This will prevent any JS on the page from accessing the
// cookie - it will only be used/accessed by the HTTP transport
// mechanism in use
SessionCookieConfig sessionCookieConfig=
servletContext.getSessionCookieConfig();
sessionCookieConfig.setHttpOnly(true);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(SpringBootrApplication.class);
}
}
AUTHOR NOTE
I am not 100% sure when this was introduced but by introducing the following parameters, the same can be accomplished without having to write code:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With