Wow, this has driven me nuts…
Most J2EE developers will know the ugly-as-hell ;jsessionid=BLAHBLAHBLAH appended as a path parameter to all urls of an application on the first call of a page that creates a session.
Tomcat as of version 6 has the possibility to add the attribute ‘disableURLRewriting=”true”‘ to the context of the application but that didn’t work for me…
The problem was: I’m using Spring Security and Spring Security has it’s own mechanism and control for the session store.
It can be disabled through security-conf.xml (or wherever you’ve stored the Spring Security configuration) within the http element:
<http use-expressions="true" disable-url-rewriting="true" create-session="ifRequired">
And boom, the path parameter is gone.
For more information see The Security Namespace
The jsession parameter is used on the first page that requires a session as the server cannot now at this point in time whether the client supports cookies or not. If you disable it, you’re clients need to allow cookies, otherwise no session will be created.