How to prevent the JSESSIONID showing in the URL [duplicate]

Question

This question already has an answer here:

• How to prevent adding jsessionid at the end of redirected url 1 answer
• Is it possible to disable jsessionid in tomcat servlet? 8 answers

I have created an login page in servlet using Google Datastore, it is working fine. but sometimes its showing the JSESSIONID in the URL.

How can I prevent the JSESSIONID sending through the URL? why its passing through the URL instead of request message?

Answer 1

Add the following entry in your web.xml.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

This will instruct the container that the client supports cookies and hence there is no need to put the JSessionId in the URL.

Answer 2

Are you using response.encodeURL()? If so, try to remove it or disable "URL Rewriting" and check the URL.

See also:

• disableURLRewriting

Apache Tomcat Configuration Reference

Additional information:

response.encodeURL(URL) adds ;jsessionid=xxxx... to URL. To disable this(="URL Rewriting"),

Tomcat 7.0 or later:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

Tomcat 6.0:

<Context disableURLRewriting="true" ...