Disable jsessionid path parameter in Java web applications

January 28, 2011 by Michael

Wow, this has driven me nuts…

Most J2EE developers will know the ugly-as-hell ;jsessionid=BLAHBLAHBLAH appended as a path parameter to all urls of an application on the first call of a page that creates a session.

Tomcat as of version 6 has the possibility to add the attribute ‘disableURLRewriting=”true”‘ to the context of the application but that didn’t work for me…

The problem was: I’m using Spring Security and Spring Security has it’s own mechanism and control for the session store.

It can be disabled through security-conf.xml (or wherever you’ve stored the Spring Security configuration) within the http element:

<http use-expressions="true" disable-url-rewriting="true" create-session="ifRequired">

And boom, the path parameter is gone.

For more information see The Security Namespace

The jsession parameter is used on the first page that requires a session as the server cannot now at this point in time whether the client supports cookies or not. If you disable it, you’re clients need to allow cookies, otherwise no session will be created.

2 comments

  1. Fermin wrote:

    Thanks! Works perfect!

    Posted on June 26, 2014 at 1:24 AM | Permalink
  2. Pradeep wrote:

    How we can do the same for Jboss 4.2.3 GA.

    Posted on April 26, 2016 at 2:38 PM | Permalink
Post a Comment

Your email is never published nor shared. Required fields are marked *