Disable jsessionid via http header (cookie) in Tomcat 7

hiccuphell picture hiccuphell · Sep 27, 2011 · Viewed 11.7k times · Source

I'm looking to disable jsessionid from being used in the https headers. Is there a way to turn this off or disable this being set as a cookie in tomcat 7?

I either want the jsessionid to arrive embedded into a GET method url name value pairs or to be part of a POST request name value pairs.

I know all the advantages and disadvantages of using cookie based sessioning and url rewriting but I have specific needs for specific impl of restful web services.

I need tomcat 7 to accept jsessionid without using the http header: jsessionid.

Thanks.

UPDATE:

so I looked around some more and found this which is implemented using the web.xml conf.
However the following doesn't seem to work with Tomcat 7.

<session-config>
    <tracking-mode>URL</tracking-mode>
</session-config> 

is it a case of TC7 not fully implementing the servlet 3.0 spec?

Answer

palacsint picture palacsint · Sep 29, 2011

The web.xml setting works for me with Tomcat 7.0.20.

Log and check the effective (and maybe the default) session tracking modes:

logger.info("default STM: {}" , servletContext.getDefaultSessionTrackingModes());
logger.info("effective STM: {}" , servletContext.getEffectiveSessionTrackingModes());

Maybe your app override somewhere in the code the session tracking modes. An example:

final Set<SessionTrackingMode> trackingModes = 
    Collections.singleton(SessionTrackingMode.COOKIE);
servletContext.setSessionTrackingModes(trackingModes);

Check ServletContext.setSessionTrackingModes() calls in your code.

It's also possible to set default session tracking modes in the Tomcat's context settings but I found that web.xml settings override them.