Java – Is it possible to disable jsessionid in tomcat servlet


Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.

Best Answer

You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).

Tomcat 6 (pre 6.0.30)

You can use the tuckey rewrite filter.

Example config for Tuckey filter:

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>

Tomcat 6 (6.0.30 and onwards)

You can use disableURLRewriting in the context configuration to disable this behaviour.

Tomcat 7 and Tomcat 8

From Tomcat 7 onwards you can add the following in the session config.