How can I remove the jsessionid from my urls?
I'm using Spring Boot MVC (without Spring Security; tomcat embedded).
I've read that It could be done by setting the disableUrlRewriting to "true". But this looks like a Spring Security solution, which I don't use (it's a simple project without login; just pages; a session-controller exists and has to be a session-controller).
I'm asking this because GoogleBot is creating urls containing the id.
EDIT: I solved it with the solution described at: https://randomcoder.org/articles/jsessionid-considered-harmful
I created a quick-and-dirty spring-boot app and here's what I came up with.
The ServletInitializer that is generated, you can alter it in this fashion:
package com.division6.bootr;
import java.util.Collections;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.web.SpringBootServletInitializer;
public class ServletInitializer extends SpringBootServletInitializer {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
// This can be done here or as the last step in the method
// Doing it in this order will initialize the Spring
// Framework first, doing it as last step will initialize
// the Spring Framework after the Servlet configuration is
// established
super.onStartup(servletContext);
// This will set to use COOKIE only
servletContext
.setSessionTrackingModes(
Collections.singleton(SessionTrackingMode.COOKIE)
);
// This will prevent any JS on the page from accessing the
// cookie - it will only be used/accessed by the HTTP transport
// mechanism in use
SessionCookieConfig sessionCookieConfig=
servletContext.getSessionCookieConfig();
sessionCookieConfig.setHttpOnly(true);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(SpringBootrApplication.class);
}
}
AUTHOR NOTE
I am not 100% sure when this was introduced but by introducing the following parameters, the same can be accomplished without having to write code:
- server.servlet.session.cookie.http-only=true
- server.servlet.session.tracking-modes=cookie
As this question is in spring boot context, easy solution for me was:
server:
session:
tracking-modes: cookie
Added in appication.yml it modifies embedded tomcat config. From list of ll spring boot properties: https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#common-application-properties
you can also try this,
@Bean
public ServletContextInitializer servletContextInitializer() {
return new ServletContextInitializer() {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));
SessionCookieConfig sessionCookieConfig=servletContext.getSessionCookieConfig();
sessionCookieConfig.setHttpOnly(true);
}
};
}
来源:https://stackoverflow.com/questions/31791587/spring-boot-remove-jsessionid-from-url