I am deploying an app using the Spring framework on the Apache Tomcat. When running the application from Tomcat directly, there's no jsessionid appended to any URL at all, but after mapping the application to the domain, and trying to run it, I got a jsessionid appended to each URL in the application. I tried the Spring security attribute disable-url-rewriting but it doesn't work; it removes the jsessionid from the URL but the application doesn't work any more and the user cannot login.
So I guess it's another problem. Any ideas why this happens or how to solve it?
JSESSIONID is a cookie generated by Servlet containers and used for session management in J2EE web applications for HTTP protocol. If a Web server is using a cookie for session management, it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.
By default, Oracle Forms requests a JSESSIONID be generated and maintained in the URL of each exchange between the client and server. The JSESSIONID is generated by the WebLogic Server (WLS) managed server hosting the Forms Servlet. WLS adds the JSESSIONID to the URL using a method called URL Rewriting.
Each authenticated user has an HttpSession, so each jsessionid locates the authenticated user information. Note, however, that the jsessionid contains no sensitive information itself, it's just a randomly-generated lookup key, and that key can, and will change value without notice.
The JSESSIONID is generated from the servlet-container like jetty or tomcat or the builtin if you run a grails app standalone. The session-id is generated from the used http-server like apache, etc.
Fixed in Spring Security 3 https://jira.springsource.org/browse/SEC-1052
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With