Remove jsessionid from URL

Question

I\'m working on a project with the following technologies:

• Spring
• ShiroFilter
• PrettyFaces
• Tomcat server

While I\'m de

Answer 1

You'll want to take it out of Tomcat, as others have suggested, but you'll still have problems with Shiro appending it to the end on redirects if you don't have a cookie set yet. There are two open tickets on the problem:

https://issues.apache.org/jira/browse/SHIRO-360

https://issues.apache.org/jira/browse/SHIRO-361

I tried to get Tuckey's URL Re-write to work and had partial success after a while. The problem is Shiro doesn't call response.encodeURL() and therefore trip the outbound rules. I was able to redirect inbound requests to remove the session id with these two rules:

<rule>
    <note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
    <from>^/(.*);JSESSIONID=.*[?](.*)$</from>
    <to type="redirect">/$1?$2</to>
</rule>

<rule>
    <note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
    <from>^/(.*);JSESSIONID=.*[^?]$</from>
    <to type="redirect">/$1</to>
</rule>

That at least makes it not show up in the browser, but it doesn't completely solve the problem, because the session ID was sent on the URL and the redirected to the location without it. It would be better if it never showed up at all.

UPDATE:

SHIRO-360 and SHIRO-361 have been fixed and the fixes are in Shiro 1.3.0. According Brian Demers in SHIRO-361:

Set sessionManager.sessionIdUrlRewritingEnabled = false to disable appending JSESSIONID to the URL.

NOTE: if a user has disabled cookies, they will NOT be able to login if this is disable.