Preventing jsessionId from going into URL's

[jozeph78]

Hey I've got a new bug in my Spring MVC app that requires the jSessionId never be shown in the url. Now I've done some looking around and realize that RedirectView will encode the url and make it happen.

Now I have cookies enabled but oddly enough, when I visit my context root without a trailing slash I see jSessionId in the url. I can take this url verbatim and paste it into another browser and assume that session (after loggin in).

So how can I prevent it from ever showing up in the URL?

Yes I know you could probably spoof the cookie too but it's just so obvious when it's in the URL. Also, and this may be more of a core Java thing than Spring MVC, is there a way to include something extra like IP or something besides jSessionId?

[simishag]

"jsessionid" is added by the container (Tomcat, etc), not by Spring. It is basically a fallback session tracking mechanism that's used if cookies aren't available. You can clean up such URLs with a servlet filter or with Apache & mod_rewrite.

I found a couple of URLs but this site is rather dumb: "You are only allowed to post URLs to other sites after you have made 5 posts or more." Try a Google search for:

JSESSIONID considered harmful

and:

Purging jsessionids

[simishag]

post #5 testing

[simishag]

Here are the URLs:

http://randomcoder.com/articles/jses...idered-harmful

and:

http://boncey.org/2007_1_8_purging_jsessionid

[jozeph78]

Thanks for the reply. So I'm using Jetty, but Cookies are enabled on my browser. I don't understand why this ever happens and it only happens if I start from new browser and don't have the trailing slash on the url. Weird. I found this URL (http://randomcoder.com/articles/jses...idered-harmful) and like the approach to invalidate the session if it's from the URL.

I'm also using ACEGI and will see if there is somethign I can do wtih their filters to invalidate sessions requested via URL.