Tomcat – Disable jsessionid via http header (cookie) in Tomcat 7

jsessionidsessiontomcattomcat7

I'm looking to disable jsessionid from being used in the https headers.
Is there a way to turn this off or disable this being set as a cookie in tomcat 7?

I either want the jsessionid to arrive embedded into a GET method url name value pairs or to be part of a POST request name value pairs.

I know all the advantages and disadvantages of using cookie based sessioning and url rewriting but I have specific needs for specific impl of restful web services.

I need tomcat 7 to accept jsessionid without using the http header: jsessionid.

Thanks.

UPDATE:

so I looked around some more and found this which is implemented using the web.xml conf.
However the following doesn't seem to work with Tomcat 7. 

<session-config>
    <tracking-mode>URL</tracking-mode>
</session-config>

is it a case of TC7 not fully implementing the servlet 3.0 spec?

Best Answer

The web.xml setting works for me with Tomcat 7.0.20.

Log and check the effective (and maybe the default) session tracking modes:

logger.info("default STM: {}" , servletContext.getDefaultSessionTrackingModes());
logger.info("effective STM: {}" , servletContext.getEffectiveSessionTrackingModes());

Maybe your app override somewhere in the code the session tracking modes. An example:

final Set<SessionTrackingMode> trackingModes = 
    Collections.singleton(SessionTrackingMode.COOKIE);
servletContext.setSessionTrackingModes(trackingModes);

Check ServletContext.setSessionTrackingModes() calls in your code.

It's also possible to set default session tracking modes in the Tomcat's context settings but I found that web.xml settings override them.

Related Topic