Skip to content

May 12, 2011

3

Disable URL session IDs (JSESSIONID) in Tomcat 7, Glassfish v3

URL-based session tracking is intended for web clients that do not support session cookies. Every browser worth mentioning supports these cookies, and almost nobody surfs with them disabled. Most web sites either state explicitly or assume that a user’s browser supports session cookies. URL rewriting schemes that add the session ID as a parameter on every URL thus provide very little benefit, if any at all. Session IDs showing up in URLs is just bad form, and may confuse search engine spiders. Thankfully the Servlet 3.0 standard gives you two ways to disable URL session rewriting. This works in Tomcat 7, Glassfish v3, and any other Servlet 3.0-compliant servlet container.

First, you can add this to your web.xml web-app config:

<session-config> 
    <tracking-mode>COOKIE</tracking-mode> 
</session-config>

Or programmatically, you can use:

servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));

I’ve used the web.xml method in Tomcat 7, and it works. No jsessionid in the URLs when using <c:url …> in my JSPs.

Read more from Java
3 Comments Post a comment
  1. Mike
    Sep 5 2011

    I’ve been looking for this answer about 5 days. I think it should be pinned somewhere, because i found that many people has problems with jsessionid. Thanks a lot for this article.

    Reply
  2. Per Wramdemark
    Aug 26 2012

    Thanks, helped me! /Per

    Reply
  3. deniz
    Sep 10 2012

    i tried on firefox with both disabling and enabling cookies and it works perfectly but i want to know that what about google bots ? did google bot indexed your urls without jsessionid ? i have no published projects.

    i’m using glassfish v3.1.2 and jsf 2.1

    Reply

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments