Tomcat - Disable JSESSIONID in URL
2013-08-09 13:32
441 查看
http://fralef.me/tomcat-disable-jsessionid-in-url.html
http://stackoverflow.com/questions/5276634/remove-jsessionid-in-url-rewrite-in-spring-mvc/5276689#5276689
I had a problem with a Java webapp that works within a Tomcat 6 container.
In fact when you block sites from setting any data inside your browser, Tomcat 6 rewrites the URL and add a JSESSIONID parameter in it. URL session IDs are sensible informations that shouldn't be transmitted via GET method for security concerns. It may also
have a bad impact on SEO. Because sessionid is unique, multiple visits by the same search bot will return identical content with different URLs.
Security is a major concern for our customers, and JSESSIONIDs appearing in the URLs freak them out (especially when they demonstrate that you can get a URL from the app, email it to someone else, and have that person magically bypass authentication and assume
the role of the other user - of course as long as the session is still valid).
The thing is that URL-based session tracking is intended for web clients that do not support session cookies. Every browser worth mentioning supports these cookies, and almost nobody surfs with them disabled. Moreover we are comfortable saying that in order
to use our application you need to have cookies enabled, so I'm making the assumption that if we disable the feature of putting JSESSIONID into the URLs cookie-based session setting/tracking will still function just as we expect it.
You have multiple solutions to disable URL rewriting :
In Tomcat 6, you can disable URL rewriting by setting 'disableURLRewriting' attribute to true in your context.xml.
For this you have to make sure that attribute "cookies" in not set to false. This is the default.
Attribute "cookies"Set to true if you want cookies to be used for session identifier communication if supported by the client (this is the default). Set to false if you want to disable the use of cookies for session identifier communication, and rely
only on URL rewriting by the application.Attribute "disableURLRewriting"Set to true to disable support for using URL rewriting to track session IDs for clients of this Context. URL rewriting is an optional component of the servlet 2.5 specification but disabling URL rewriting will result in non-compliant
behaviour since the specification requires that there must be a way to retain sessions if the client doesn't allow session cookies. If not specified, the specification compliant default value of false will be used.
You can use a servlet filter such as Tuckey which allow you
to rewrite URLs before they get to your code.
The Servlet 3.0 standard gives you two ways to disable URL session rewriting. This works in Tomcat 7, Glassfish v3, and any other Servlet 3.0-compliant servlet container. First, you can add this to your web.xml
webapp config:
Or programmatically, you can use:
http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
http://stackoverflow.com/questions/5276634/remove-jsessionid-in-url-rewrite-in-spring-mvc/5276689#5276689
I had a problem with a Java webapp that works within a Tomcat 6 container.
In fact when you block sites from setting any data inside your browser, Tomcat 6 rewrites the URL and add a JSESSIONID parameter in it. URL session IDs are sensible informations that shouldn't be transmitted via GET method for security concerns. It may also
have a bad impact on SEO. Because sessionid is unique, multiple visits by the same search bot will return identical content with different URLs.
https://webapp.com/index.jsp;jsessionid=557206C363F1267A24AB769CA0DE4529.node01
Security is a major concern for our customers, and JSESSIONIDs appearing in the URLs freak them out (especially when they demonstrate that you can get a URL from the app, email it to someone else, and have that person magically bypass authentication and assume
the role of the other user - of course as long as the session is still valid).
The thing is that URL-based session tracking is intended for web clients that do not support session cookies. Every browser worth mentioning supports these cookies, and almost nobody surfs with them disabled. Moreover we are comfortable saying that in order
to use our application you need to have cookies enabled, so I'm making the assumption that if we disable the feature of putting JSESSIONID into the URLs cookie-based session setting/tracking will still function just as we expect it.
You have multiple solutions to disable URL rewriting :
1. 'disableURLRewriting' attribute
In Tomcat 6, you can disable URL rewriting by setting 'disableURLRewriting' attribute to true in your context.xml.<?xml version='1.0' encoding='utf-8'?> <Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true"> </Context>
For this you have to make sure that attribute "cookies" in not set to false. This is the default.
Attribute "cookies"Set to true if you want cookies to be used for session identifier communication if supported by the client (this is the default). Set to false if you want to disable the use of cookies for session identifier communication, and rely
only on URL rewriting by the application.Attribute "disableURLRewriting"Set to true to disable support for using URL rewriting to track session IDs for clients of this Context. URL rewriting is an optional component of the servlet 2.5 specification but disabling URL rewriting will result in non-compliant
behaviour since the specification requires that there must be a way to retain sessions if the client doesn't allow session cookies. If not specified, the specification compliant default value of false will be used.
2. "Servlet Filter"
You can use a servlet filter such as Tuckey which allow youto rewrite URLs before they get to your code.
Hide jsessionid for requests from googlebot.
<outbound-rule> <name>Strip URL Session ID's</name> <note> Strip ;jsession=XXX from urls passed through response.encodeURL(). The characters ? and # are the only things we can use to find out where the jsessionid ends. The expression in 'from' below contains three capture groups, the last two being optional. 1, everything before ;jesessionid 2, everything after ;jesessionid=XXX starting with a ? (to get the query string) up to # 3, everything ;jesessionid=XXX and optionally ?XXX starting with a # (to get the target) eg, from index.jsp;jsessionid=sss?qqq to index.jsp?qqq from index.jsp;jsessionid=sss?qqq#ttt to index.jsp?qqq#ttt from index.jsp;jsessionid=asdasdasdsadsadasd#dfds - index.jsp#dfds from u.jsp;jsessionid=wert.hg - u.jsp from /;jsessionid=tyu - / </note> <condition name="user-agent">googlebot</condition> <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?$</from> <to>$1$2$3</to> </outbound-rule>
3. Switch to Tomcat 7 !
The Servlet 3.0 standard gives you two ways to disable URL session rewriting. This works in Tomcat 7, Glassfish v3, and any other Servlet 3.0-compliant servlet container. First, you can add this to your web.xmlwebapp config:
<session-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
Or programmatically, you can use:
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
Sources :
http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlethttp://tomcat.apache.org/tomcat-6.0-doc/config/context.html
相关文章推荐
- Tomcat - Disable JSESSIONID in URL
- Tomcat - Disable JSESSIONID in URL
- Java jsessionid in URL
- Java jsessionid in URL
- Spring boot中去掉URL后面的jsessionid
- spring3.2 带matrix变量的URL匹配问题 freemarker ;JSESSIONID
- url中的jsessionid解释
- 去掉shiro登录时url里的JSESSIONID
- 关于tomcat7服务下面js无法获取JSESSIONID的cookie信息
- url中的jsessionid解释
- 去除url中jsessionid
- 去掉shiro登录时url里的JSESSIONID
- 去掉 URL 中讨厌的 jsessionid
- 去掉url 后面的jsessionid
- 禁用JavaWeb应用中URL上包含的jsessionid
- IE11 Session Id in URL
- JSESSIONID 和java 、tomcat的关系
- struts2中s:url标签附加jsessionid导致页无法访问
- 项目部署到tomcat上导致页面Cookie取不到JSESSIONID值
- url中jsessionid引起的一个问题