tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Is there a better way to disable JSESSIONID in the URLs?
Date Fri, 20 Aug 2010 16:35:03 GMT
Hash: SHA1


On 8/20/2010 8:33 AM, Pid wrote:
> On 19/08/2010 20:41, Wesley Acheson wrote:
>> On Thu, Aug 19, 2010 at 6:25 PM, Len Popp <> wrote:
>>> On Thu, Aug 19, 2010 at 12:01, Christopher Schultz
>>> <> wrote:
>>>> The servlet specification mandates this behavior. Tomcat simply must
>>>> support it. The spec says nothing of configurability, so Tomcat does not
>>>> provide any. Hence the need to write a filter to achieve your desired
>>>> behavior.
>>> That's not inviolable dogma. Tomcat does have some settings that make
>>> it operate out-of-spec, e.g. non-standard cookie parsing. I don't see
>>> why an option couldn't be added to disable JSESSIONID in URLs, if
>>> enough people would find it useful.
>>> --
>>> Len
>> Is there anywhere we could vote for such a feature?  I know Resin has it as
>> I've stated before.
> You could file an enhancement request in Bugzilla, but it would be more
> likely to get attention if it came with a patch.  I can't comment as to
> whether it would be approved or not.

This sounds like something that could easily be implemented as a Valve.
My understanding is that the only place where the jsessionid can't be
removed from URLs by a Filter is during the authentication process. A
Valve can be inserted /before/ the authentication/authorization Valve(s)
and therefore override the encodeURL behavior to perform /no/ URL rewriting.

Maybe one of the TC devs can tell us how to insert a Valve /before/ the
AAA valves that are automatically set up by the security configuration
in web.xml, but never explicitly defined using a <Valve> element anywhere.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message