Professional Documents
Culture Documents
Products & Services Knowledgebase How do I remove the jsessionid from URLs in JBoss EAP?
Environment
Red Hat JBoss Enterprise Application Platform (EAP)
4.x
5.x
6.x
7.x
Issue
For security or other requirements at times there is a need to remove the jsessionid
completely from any generated URLs. The default behaviour of the servlet container is to
pass the jsessionid via the URL and a cookie on the first request that accesses the
session. In that case, if the client rejects the cookie, or cookies are not enabled, the
session can still be tied to the request via the jsessionid in the URL.
How to remove jsessionid from the URL
Resolution
https://access.redhat.com/solutions/16169 1/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal
Disclaimer:Links contained herein to the external website(s) are provided for convenience
only. Red Hat has not reviewed the links and is not responsible for the content or its
availability. The inclusion of any link to an external website does not imply endorsement by
Red Hat of the website or their entities, products or services. You agree that Red Hat is not
responsible or liable for any loss or expenses that may result due to your use of (or reliance
on) the external site or content.
EAP 6.x/7.x:
As per Servlet 3.0 and 3.1 specifications, use <tracking-mode> setting in web.xml to configure
session tracking mechanism. ( COOKIE , URL , and SSL can be specified). A combination of
COOKIE or URL is allowed by default though the app has to be written to support URL tracking
as well as it has to properly use response.encodeURL() or response.encodeRedirectURL() for
the jsessionid to be encoded into URLs. Removing the URL setting will remove the
jsessionid from URLs (= disabling URL rewriting) regardless of the application code.
So, you can use COOKIE only for session tracking by setting the following example
configuration:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
If your WAR is within an EAR that has a <session-config> block in its META-INF/jboss-all.xml ,
then ensure the <tracking-mode> is set in this EAR's META-INF/jboss-all.xml as well.
Note that there is a bug regarding this feature in EAP 6.0.x. Red Hat recommends using the
latest versions of EAP 6, which contains the fix.
Please also refer to this article.
EAP 4.x/5.x:
Note: User cannot use the disableURLRewriting attribute in context.xml as described on
Tomcat's documentation cannot be used because this feature was not introduced until Tomcat
6.0.30, but JBoss EAP 4.x/5.x are based on and fork from 6.0.13 and 6.0.15, respectively.
https://access.redhat.com/solutions/16169 2/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal
package com.example;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
@Override
https://access.redhat.com/solutions/16169 3/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);
<filter>
<filter-name>JsessionIdRemoveFilter</filter-name>
<filter-class>com.example.JsessionIdRemoveFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JsessionIdRemoveFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So this filter-mapping indicates a default of applying filters only under ordinary client calls
to the path or servlet. So here we would need to set dispatcher value for ERROR
messages. A value of ERROR means the Filter will be applied under the error page
mechanism. The dispatcher has four legal values: FORWARD, REQUEST, INCLUDE and
ERROR. A value of FORWARD means the Filter will be applied under
RequestDispatcher.forward() calls. A value of REQUEST means the Filter will be applied
under ordinary client calls to the path or servlet. A value of INCLUDE means the Filter will
applied under RequestDispatcher.include() calls.
https://access.redhat.com/solutions/16169 4/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal
<filter>
<filter-name>JsessionIdRemoveFilter</filter-name>
<filter-class>com.example.JsessionIdRemoveFilter</filter-class>
</filter>
<filter>
<filter-name>error</filter-name>
<filter-class>com.example.JsessionIdRemoveFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JsessionIdRemoveFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>error</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Hence add the following instead of above contain in web.xml to filter the error page also.
Now, the ;jsessionid will no longer show up in the URL in the browser. As noted in the
JIRA the code was taken from, this solution effectively disables URL rewriting and also
means the site no longer works without cookies, so for a good user experience, an
additional cookie check is needed.
If using Apache httpd as load balancer in front of JBoss EAP then another option would
be configuring a rewrite rule at the Apache httpd layer with mod_rewrite .
RewriteEngine On
RewriteRule ^([^;]+);jsessionid=[A-Za-z0-9\-\+\_\*]+\.[A-Za-z0-9]+(.*)$ $1$2
[L,R=301]
This solution is part of Red Hat’s fast-track publication program, providing a huge library of
solutions that Red Hat engineers have created while supporting our customers. To give you the
knowledge you need the instant it becomes available, these articles may be presented in a raw
and unedited form.
https://access.redhat.com/solutions/16169 5/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal
How to change "jsessionid" session identifier for url rewriting in JBoss EAP 6
Is it possible to maintain sticky sessions with only the JSessionID in the URL?
2 Comments
12 August 2014 10:58 AM
JC Jamie Cruise
COMMUNITY I implemented this filter and I also added the following to context.xml in order to have
MEMBER
secure and httpOnly cookies:
25 Points
https://access.redhat.com/solutions/16169 6/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal
≤ Reply
≤ Reply
https://access.redhat.com/solutions/16169 7/7