3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP?

- Red Hat Customer Portal

Subscriptions Downloads Containers Support Cases

Products & Services Knowledgebase How do I remove the jsessionid from URLs in JBoss EAP?

How do I remove the jsessionid from URLs in

JBoss EAP?
$ SOLUTION VERIFIED - Updated September 9 2021 at 3:32 PM - English

Environment
Red Hat JBoss Enterprise Application Platform (EAP)
4.x
5.x
6.x
7.x

Issue
For security or other requirements at times there is a need to remove the jsessionid
completely from any generated URLs. The default behaviour of the servlet container is to
pass the jsessionid via the URL and a cookie on the first request that accesses the
session. In that case, if the client rejects the cookie, or cookies are not enabled, the
session can still be tied to the request via the jsessionid in the URL.
How to remove jsessionid from the URL

Resolution

https://access.redhat.com/solutions/16169 1/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal

Disclaimer:Links contained herein to the external website(s) are provided for convenience
only. Red Hat has not reviewed the links and is not responsible for the content or its
availability. The inclusion of any link to an external website does not imply endorsement by
Red Hat of the website or their entities, products or services. You agree that Red Hat is not
responsible or liable for any loss or expenses that may result due to your use of (or reliance
on) the external site or content.

EAP 6.x/7.x:
As per Servlet 3.0 and 3.1 specifications, use <tracking-mode> setting in web.xml to configure
session tracking mechanism. ( COOKIE , URL , and SSL can be specified). A combination of
COOKIE or URL is allowed by default though the app has to be written to support URL tracking
as well as it has to properly use response.encodeURL() or response.encodeRedirectURL() for
the jsessionid to be encoded into URLs. Removing the URL setting will remove the
jsessionid from URLs (= disabling URL rewriting) regardless of the application code.
So, you can use COOKIE only for session tracking by setting the following example
configuration:

<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

If your WAR is within an EAR that has a <session-config> block in its META-INF/jboss-all.xml ,
then ensure the <tracking-mode> is set in this EAR's META-INF/jboss-all.xml as well.

Note that there is a bug regarding this feature in EAP 6.0.x. Red Hat recommends using the
latest versions of EAP 6, which contains the fix.
Please also refer to this article.

EAP 4.x/5.x:
Note: User cannot use the disableURLRewriting attribute in context.xml as described on
Tomcat's documentation cannot be used because this feature was not introduced until Tomcat
6.0.30, but JBoss EAP 4.x/5.x are based on and fork from 6.0.13 and 6.0.15, respectively.

The following Filter is an adaptation from the Filter listed in

https://jira.jboss.org/jira/browse/JBSEAM-3018. Create JsessionIdRemoveFilter.java in
code base

https://access.redhat.com/solutions/16169 2/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal

package com.example;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

public class JsessionIdRemoveFilter implements Filter {

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)

throws IOException, ServletException {

if (!(req instanceof HttpServletRequest)) {

chain.doFilter(req, res);
return;
}

HttpServletRequest request = (HttpServletRequest) req;

HttpServletResponse response = (HttpServletResponse) res;

// Redirect requests with JSESSIONID in URL to clean version (old links

bookmarked/stored by bots)
// This is ONLY triggered if the request did not also contain a JSESSIONID
cookie! Which should be fine for bots...
if (request.isRequestedSessionIdFromURL()) {
String url = request.getRequestURL()
.append(request.getQueryString() != null ?
"?"+request.getQueryString() : "")
.toString();
response.setHeader("Location", url);
response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
return;
}

// Prevent rendering of JSESSIONID in URLs for all outgoing links

HttpServletResponseWrapper wrappedResponse =
new HttpServletResponseWrapper(response) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}

@Override

https://access.redhat.com/solutions/16169 3/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal

public String encodeRedirectURL(String url) {

return url;
}

@Override
public String encodeUrl(String url) {
return url;
}

@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);

public void destroy() {

}

public void init(FilterConfig arg0) throws ServletException {

}
}

Then edit the web.xml to contain:

<filter>
<filter-name>JsessionIdRemoveFilter</filter-name>
<filter-class>com.example.JsessionIdRemoveFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JsessionIdRemoveFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

So this filter-mapping indicates a default of applying filters only under ordinary client calls
to the path or servlet. So here we would need to set dispatcher value for ERROR
messages. A value of ERROR means the Filter will be applied under the error page
mechanism. The dispatcher has four legal values: FORWARD, REQUEST, INCLUDE and
ERROR. A value of FORWARD means the Filter will be applied under
RequestDispatcher.forward() calls. A value of REQUEST means the Filter will be applied
under ordinary client calls to the path or servlet. A value of INCLUDE means the Filter will
applied under RequestDispatcher.include() calls.

https://access.redhat.com/solutions/16169 4/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal

<filter>
<filter-name>JsessionIdRemoveFilter</filter-name>
<filter-class>com.example.JsessionIdRemoveFilter</filter-class>
</filter>

<filter>
<filter-name>error</filter-name>
<filter-class>com.example.JsessionIdRemoveFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>JsessionIdRemoveFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>ERROR</dispatcher>
</filter-mapping>

<filter-mapping>
<filter-name>error</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Hence add the following instead of above contain in web.xml to filter the error page also.
Now, the ;jsessionid will no longer show up in the URL in the browser. As noted in the
JIRA the code was taken from, this solution effectively disables URL rewriting and also
means the site no longer works without cookies, so for a good user experience, an
additional cookie check is needed.

If using Apache httpd as load balancer in front of JBoss EAP then another option would
be configuring a rewrite rule at the Apache httpd layer with mod_rewrite .

RewriteEngine On
RewriteRule ^([^;]+);jsessionid=[A-Za-z0-9\-\+\_\*]+\.[A-Za-z0-9]+(.*)$ $1$2
[L,R=301]

Product(s) Red Hat JBoss Enterprise Application Platform Component jbossas

Category Learn more Tags jboss jbossweb jboss_eap

This solution is part of Red Hat’s fast-track publication program, providing a huge library of
solutions that Red Hat engineers have created while supporting our customers. To give you the
knowledge you need the instant it becomes available, these articles may be presented in a raw
and unedited form.

https://access.redhat.com/solutions/16169 5/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal

People who viewed this solution also viewed

How to change "jsessionid" session identifier for url rewriting in JBoss EAP 6

Solution - 3 thg 3, 2017

Is it possible to maintain sticky sessions with only the JSessionID in the URL?

Solution - 30 thg 4, 2015

How to make JBoss identify the JSESSIONID if it configured as an Http Query

Parameter

Solution - 9 thg 7, 2013

2 Comments
12 August 2014 10:58 AM
JC Jamie Cruise

COMMUNITY I implemented this filter and I also added the following to context.xml in order to have
MEMBER
secure and httpOnly cookies:
25 Points

Context cookies="true" crossContext="true"

SessionCookie secure="true" httpOnly="true"

But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException

What am I missing? Please help

https://access.redhat.com/solutions/16169 6/7
3/17/23, 4:44 PM How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal

≤ Reply

27 August 2014 7:56 AM

JC Jamie Cruise

COMMUNITY In order to use secure=true, a certificate needs to be installed so the requests go

MEMBER
through https.
25 Points

≤ Reply

Copyright © 2023 Red Hat, Inc.

https://access.redhat.com/solutions/16169 7/7