Tomcat - Disable JSESSIONID in URL - sysadmin stuff [PDF]

sysadmin stuff by @jeekajoo (./)

ABOUT (./about/)

Archives (./archives.html)

Tomcat - Disable JSESSIONID in URL () I had a problem with a Java webapp that works within a Tomcat 6 container. In fact when you block sites from setting any path="/CONTEXT" disableURLRewriting="true">

For this you have to make sure that attribute "cookies" in not set to false. This is the default. Attribute cookies Set to true if you want cookies to be used for session identifier communication if supported by the client (this is the default). Set to false if you want to disable the use of cookies for session identifier communication, and rely only on URL rewriting by the application. Attribute disableURLRewriting Set to true to disable support for using URL rewriting to track session IDs for clients of this Context. URL rewriting is an optional component of the servlet 2.5 specification but disabling URL rewriting will result in non-compliant behaviour since the specification requires that there must be a way to retain sessions if the client doesn't allow session cookies. If not specified, the specification compliant default value of false will be used.

2. "Servlet Filter" You can use a servlet filter such as Tuckey (http://tuckey.org/urlrewrite/) which allow you to rewrite URLs before they get to your code.

3. Switch to Tomcat 7 ! The Servlet 3.0 standard gives you two ways to disable URL session rewriting. This works in Tomcat 7, Glassfish v3, and any other Servlet 3.0-compliant servlet container. First, you can add this to your web.xml webapp config: COOKIE

Or programmatically, you can use: servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));

Sources : http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet (http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet) http://tomcat.apache.org/tomcat-6.0-doc/config/context.html (http://tomcat.apache.org/tomcat-6.0-doc/config/context.html) Date August 16, 2012 (2012-08-16T18:19:00+02:00) By @jeekajoo (./author/jeekajoo.html) Category hardening

(./category/hardening.html) Tags tomcat (./tag/tomcat.html) hardening (./tag/hardening.html) security (./tag/security.html) jsessionid (./tag/jsessionid.html) cookie (./tag/cookie.html)

One Comment Type Comment Here (at least 3 chars)

Name (optional)

E-mail (optional)

Anonymous • 3 years ago

Merci -1

|

Reply

LINKS blog (fr) (https://jeekajoo.eu) shaarli (fr) (https://jeekajoo.eu/links/) public files (https://pub.jeekajoo.eu) flattr (https://flattr.com/profile/jeekajoo) twitter (https://twitter.com/jeekajoo) github (https://github.com/jeekajoo)

FEEDS atom (./feeds/all.atom.xml) rss (./feeds/all.rss.xml)

CATEGORIES android (./category/android.html) docker (./category/docker.html) hardening (./category/hardening.html) linux (./category/linux.html) python (./category/python.html)

TAGS android (./tag/android.html) privacy



(./tag/privacy.html) lxc (./tag/lxc.html) location (./tag/location.html)

container (./tag/container.html) debian (./tag/debian.html)

Website (optional)

Submit





jsessionid (./tag/jsessionid.html) freedom (./tag/freedom.html) php-





fpm (./tag/php-fpm.html) nogapps (./tag/nogapps.html) flashafterupdate





(./tag/flashafterupdate.html) tomcat (./tag/tomcat.html) apk (./tag/apk.html)

linux (./tag/linux.html)

hardening (./tag/hardening.html)

gmscore (./tag/gmscore.html) comment (./tag/comment.html)

security (./tag/security.html)



iptables (./tag/iptables.html) libvirt (./tag/libvirt.html) docker





(./tag/docker.html) firewall (./tag/firewall.html) adb (./tag/adb.html)





python (./tag/python.html) microg (./tag/microg.html) sdk





(./tag/sdk.html) network (./tag/network.html) flash (./tag/flash.html)





piwik (./tag/piwik.html) fastboot (./tag/fastboot.html) GCM (./tag/gcm.html)

root (./tag/root.html) howto

(./tag/howto.html) cookie (./tag/cookie.html) nginx

(./tag/nginx.html)