Tomcat - Disable JSESSIONID in URL
Tomcat - Disable JSESSIONID in URLI had a problem with a Java webapp that works within a Tomcat 6 container.
In fact when you block sites from setting any data inside your
browser, Tomcat 6 rewrites the URL and add a JSESSIONID parameter in it.URL session> https://webapp.com/index.jsp;jsessionid=557206C363F1267A24AB769CA0DE4529.node01
Security is a major concern for our customers, and JSESSIONIDs
appearing in the URLs freak them out (especially when they demonstrate
that you can get a URL from the app, email it to someone else, and have
that person magically bypass authentication and assume the role of the
other user - of course as long as the session is still valid).
The thing is that URL-based session tracking is intended for web
clients that do not support session cookies. Every browser worth
mentioning supports these cookies, and almost nobody surfs with them
disabled. Moreover we are comfortable saying that in order to use our
application you need to have cookies enabled, so I'm making the
assumption that if we disable the feature of putting JSESSIONID into theURLs cookie-based session setting/tracking will still function just as
we expect it.
You have multiple solutions to disable URL rewriting :
1. 'disableURLRewriting' attribute
In Tomcat 6, you can disable URL rewriting by setting 'disableURLRewriting' attribute to true in your context.xml.
For this you have to make sure that attribute "cookies" in not set to false. This is the default.
[*] Attribute cookies
[*]
Set to true if you want cookies to be used for session>
[*] Attribute disableURLRewriting
[*]
Set to true to disable support for using URL rewriting to track
session>
2. "Servlet Filter"
You can use a servlet filter such as Tuckey which allow you to rewrite URLs before they get to your code.
3. Switch to Tomcat 7 !
The Servlet 3.0 standard gives you two ways to disable URL session
rewriting. This works in Tomcat 7, Glassfish v3, and any other Servlet
3.0-compliant servlet container. First, you can add this to your web.xmlwebapp config:
COOKIE
Or programmatically, you can use:
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
页:
[1]