Tomcat - Disable JSESSIONID in URL
2016-06-14 17:32
459 查看
Tomcat - Disable JSESSIONID in URL
I had a problem with a Java webapp that works within a Tomcat 6 container.In fact when you block sites from setting any data inside your
browser, Tomcat 6 rewrites the URL and add a JSESSIONID parameter in it.
URL session IDs are sensible informations that shouldn't be transmitted
via GET method for security concerns. It may also have a bad impact on
SEO. Because sessionid is unique, multiple visits by the same search bot
will return identical content with different URLs.
https://webapp.com/index.jsp;jsessionid=557206C363F1267A24AB769CA0DE4529.node01
Security is a major concern for our customers, and JSESSIONIDs
appearing in the URLs freak them out (especially when they demonstrate
that you can get a URL from the app, email it to someone else, and have
that person magically bypass authentication and assume the role of the
other user - of course as long as the session is still valid).
The thing is that URL-based session tracking is intended for web
clients that do not support session cookies. Every browser worth
mentioning supports these cookies, and almost nobody surfs with them
disabled. Moreover we are comfortable saying that in order to use our
application you need to have cookies enabled, so I'm making the
assumption that if we disable the feature of putting JSESSIONID into the
URLs cookie-based session setting/tracking will still function just as
we expect it.
You have multiple solutions to disable URL rewriting :
1. 'disableURLRewriting' attribute
In Tomcat 6, you can disable URL rewriting by setting 'disableURLRewriting' attribute to true in your context.xml.<?xml version='1.0' encoding='utf-8'?><Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true"></Context>For this you have to make sure that attribute "cookies" in not set to false. This is the default.
Attribute
cookies
Set to true if you want cookies to be used for session identifier
communication if supported by the client (this is the default). Set to
false if you want to disable the use of cookies for session identifier
communication, and rely only on URL rewriting by the application.
Attribute
disableURLRewriting
Set to true to disable support for using URL rewriting to track
session IDs for clients of this Context. URL rewriting is an optional
component of the servlet 2.5 specification but disabling URL rewriting
will result in non-compliant behaviour since the specification requires
that there must be a way to retain sessions if the client doesn't allow
session cookies. If not specified, the specification compliant default
value of false will be used.
2. "Servlet Filter"
You can use a servlet filter such as Tuckey which allow you to rewrite URLs before they get to your code.3. Switch to Tomcat 7 !
The Servlet 3.0 standard gives you two ways to disable URL sessionrewriting. This works in Tomcat 7, Glassfish v3, and any other Servlet
3.0-compliant servlet container. First, you can add this to your web.xml
webapp config:
<session-config> <tracking-mode>COOKIE</tracking-mode></session-config>Or programmatically, you can use:
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
相关文章推荐
- tomcat环境JDK因素排除
- ubnutu部署tomcat项目
- Tomcat配置一个ip绑定多个域名
- tomcat调优
- 腾讯云服务器centos 6.5(jdk+tomcat+vsftp)、腾讯mysql数据库 及 tomcat自启动 配置教程
- nginx+tomcat分布式部署
- Tomcat文件详解
- 深入理解Tomcat
- Linux重启tomcat
- Tomcat系列学习
- Maven中配置jetty和Tomcat插件
- linux 安装jdk 和 tomcat
- CentOS6 安装Tomcat7
- Apache与Tomcat有什么关系和区别
- Tomcat 部署时报错Deployment failure on Tomcat 6.x
- Tomcat配置虚拟目录
- Nginx与Apache、Tomcat、Resin动静分离核心配置
- Spring+Mybatis+Tomcat下多数据源与 atomikos 分布式事务配置
- Jetbrains tomcat css文件路径错误
- Tomcat访问日志分析