Highly motivated Senior Java/JEE Software Developer with 7+ years of solid industry experience. Excellent team player with an experience working in distributed international teams, using Agile/Scrum methodology. Artur has posted 9 posts at DZone. You can read more from them at their website. View Full User Profile

Java jsessionid in URL

02.21.2012
| 32284 views |
  • submit to reddit

Today developers are using JSTL to write clean jsp code. Let's talk about JSTL's url tag <c:url ...> .

People are complaining that whenever they using <c:url ... > all links on their site contain strange a jsessionid parameter and it disappears after refreshing the page. 

Some of them think that this is a bug.

This isn't a bug, whenever a new session is created, the server isn't sure if the client supports cookies or not, and it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid isn't necessary, and drops it. If the client comes back with no cookie, then the server needs to continue to use jsessionid rewriting in url. 

But nowdays it's really hard to imagine clients/users without cookie support. 

While whole web applications works fine with this behaviour jsessionid parameter might be problem for your application SEO and security.

SEO Impact

Some search engines may penalizes sites which have identical content available from multiple, unique URLs. Because sessionid is unique, multiple visits by the same search bot will return identical content with different URLs. 

This is a problem, let's try to search for inurl:;jsessionid in URLs and we will see around 620 million results.

Security Risk

It's not an invention that including SessionID in the URL, allows attackers potentially hack a victim.

Now let's solve this issues

Unfortunately Servlet Specification and Servlet Containers does not provide a standard way to disable the use of URL-based sessions.  

The solution/workaround is to create a servlet filter which will disable/skip url based sessionid generation. 

package my.package.web.filter;

import java.io.IOException;
import javax.servlet.*;
import javax.servlet.http.*;

public class URLSessionFilter implements Filter {

	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
			ServletException {
		if (!(request instanceof HttpServletRequest)) {
			chain.doFilter(request, response);
			return;
		}

		HttpServletResponse httpResponse = (HttpServletResponse) response;

		HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) {
			public String encodeRedirectUrl(String url) {
				return url;
			}

			public String encodeRedirectURL(String url) {
				return url;
			}

			public String encodeUrl(String url) {
				return url;
			}

			public String encodeURL(String url) {
				return url;
			}
		};
		chain.doFilter(request, wrappedResponse);
	}

	public void init(FilterConfig filterConfig) {
	}

	public void destroy() {
	}
}

 


To disable default URL encoding functionality, we need to wrap HttpServletResponse instance. The Java Servlet API provides wrapper called HttpServletResponseWrapper.

Servlet filter is ready, now we need to tell servlet container about it. We need to add the following to the web.xml: 

<filter>	    
	<filter-name>URLSessionFilter</filter-name>
	<filter-class>my.package.web.filter.URLSessionFilter</filter-class>
</filter>

<filter-mapping>
	<filter-name>URLSessionFilter</filter-name>	    
	<url-pattern>/*</url-pattern>
</filter-mapping>

 

Who said this was difficult? That's all enjoy coding. 

 

Published at DZone with permission of its author, Artur Mkrtchyan.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Antti Mattila replied on Tue, 2012/02/21 - 11:32pm

I made the example search and got hits _about_ jsessionid so there is nothing wrong with that result. 

The second hit was to a blog from 2006 (http://randomcoder.org/articles/jsessionid-considered-harmful) that seems to have been mostly duplicated here.

The information in this article seems to be outdated: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=1235687

I'd like to read and rely on java.dzone.com articles in the future so hopefully I got something wrong and I just didn't waste my time on some copypaste misinformation, so please correct me.

Sura Sos replied on Wed, 2012/02/22 - 12:44am

I think it is better to enable session cookie on the server side than write a filter. If a user has disabled cookie, you will still be able to track the user.

 url with jsessionid is treated like any other dynamic content, so you are not longer penalized. maybe that was not the case 5-10 years ago. You can find more info on google webmaster.

Artur Mkrtchyan replied on Wed, 2012/02/22 - 6:26am in response to: Antti Mattila

@Antti
You haven't seen nothing wrong with search result cuz the first two pages contain nothing strange but other pages are really contents with the jsessionid url.

Second I had a real problem and I solved it and shared with people, Instead of complaining I would be happy to hear some other solutions to handle this issue.

Artur Mkrtchyan replied on Wed, 2012/02/22 - 6:30am in response to: Sura Sos

@Sura In general you are right we can try to handle this issue via container configuration. Some of containers provide configuration option to handle this e.g. Tomcat 7 has that feature. But the current workaround is container independent.

Antti Mattila replied on Wed, 2012/02/22 - 9:13am

What was the problem you solved or think you solved? Did you have trouble with Google indexing your jsessionid and now the problem is no more? Can you give some real data or examples to support this?

I just posted a link in my previous comment where Google explains sessionid parameter shouldn't be a problem and how you can ignore other URL parameters. Did you read that? Do you think this is _not_ some other solution to handle this issue?

It still seems to me that you are copypasting an article from 2006 and giving misinformation as Google itself says different from what you are saying. Then you reply to that by saying really nothing (real data, facts) how your article would be accurate. You also seem to ignore the other solution by Google itself and want to hear other solutions. Whats up with that?

Artur Mkrtchyan replied on Wed, 2012/02/22 - 9:23am in response to: Antti Mattila

@Antti
For me having jsessionid in url is a not nice thing and an issue. I solved at least that. If it's ok for you then just forgot about this article.

Antti Mattila replied on Wed, 2012/02/22 - 9:44am

I probably wouldn't like the jsessionid in the URL either. That is not the issue here!

You seem to ignore all the comments (also from Sura Sos) about you giving misinformation about Google indexing jsessionid. I interpret this as you understand that you were wrong and gave misinformation but don't want to talk about it. I think it is really bad having an article here on java.dzone.com containing false information and I hope this can be removed.

Maybe a new article on not liking jsessionid in the URL and solving it with own servlet filter instead of container configuration would be something to concider. But honestly I hope that wouldn't end up here either. Sorry for being this harsh. I just think this was really bad as the information is just wrong and hopefully somebody doesn't start doing stupid things believing this article.

Artur Mkrtchyan replied on Wed, 2012/02/22 - 10:19am in response to: Antti Mattila

Actually search engines have a problem even when your site without www doesn't redirect to www. It's duplicate content for them. (This message is from well known SEO analyzers)
I'm not SEO expert and have no too much time and money too pass this issues to SEO experts or try to find all SEO impacts myself. So this is a quick tip/how-to if you want to remove jsessionids from url without container confs...

I really will be happy to see some solutions how to do this without custom Filter but at least common solution for several containers.

Antti Mattila replied on Wed, 2012/02/22 - 10:44am

I'm not following your arguments here. Are you saying that redirecting from www domain (a link to the well known SEO analyzer message would be nice) has something to do with having jsessionid parameter in URL?

If you agree with Google that having sessionid parameter in the URL is not a problem, could you at least remove that part from this article so other people are not mislead. 

Artur Mkrtchyan replied on Wed, 2012/02/22 - 11:09am in response to: Antti Mattila

The argument was related to SEO again that search engines require to do more and more steps to have a good result.

I'm started to use http://www.woorank.com  you can see  some notes for www. www redirection was just an example. anyway.

 I have removed google's specific patr form article and also changed the title. Hope you are ok with this now :)

Antti Mattila replied on Wed, 2012/02/22 - 11:35am

I like facts. You say you are not an SEO expert, but you post SEO advice: "Some search engines may penalizes".. The only fact I've seen is Google saying sessionid is not a problem. Do you have any _facts_ showing some search engine still actually has problems with sessionid parameter?

You say that in your opinion(?) "search engines require to do more and more steps to have a good result." What are the basis for this opinion? In my understanding it _was_ true and people tried to do all kind of things to get their page ranked better. I have understood that Google fights this and tries to rank the pages based on the content, so you should concentrate on having the content right. I would be really surprised if some search engine would not recognize jsessionid in URL and would actually index it. That's why I would really like to see some facts about it or removal of the misinformation.

Stephen Gacho replied on Fri, 2013/01/25 - 4:32am

 We call configure Injections using named arguments syntax. It is not necessary in our case but very convenient when we have many parameters and some of them are optional.-Phil Melugin

Jonathan Card replied on Sat, 2013/02/23 - 2:13pm

Thank you. Putting aside what you can accomplish with Webmaster Tools, this will be useful for other search engines. It's also messing up my SSO solution, as the request for a ticket has the JSESSIONID in the URL, and then the ticket validation doesn't and its messing up the first request for any URL in the session. Thanks. 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.