Do all servlet containers use jsessionid to track the session?

StackOverflow https://stackoverflow.com/questions/20907351

Question

I'm writing a utility that needs to mimmic HttpServletResponse.encodeURL(...) and HttpServletResponse.encodeRedirectURL(...).

I know that many servlet containers append ;jsessionid=XXX to the URL to track the session. My question is do ALL servlet containers do it?

Please note that I'm aware that this function can be switched off if cookies are preferred.

So, my questions:

  1. Does every servlet container append ;jsessionid=XXX to the URL? (when using url based session id)
  2. Are there any other variants (eg jsessionid vs JSESSIONID)
  3. Are there any other strange ways of tracking session id in the URL?

I'm interested in all major servlet containers (jetty, tomcat, jbos, websphere, etc...)

Was it helpful?

Solution

Yes you can definitely do in Weblogic, Websphere, Jetty & Tomcat prior to 7 (because I have done it). But the Java Servlet API up to Version 2.5 states that the session identification cookie must be named JSESSIONID

weblogic.xml

<session-descriptor>
   <cookie-name>myCustomSessionId</cookie-name>
</session-descriptor>

Jetty

The Session Management of Eclipse Jetty allows for setting both the session cookie name and path parameter name via either WEB-INF/web.xml context parameters, or via init parameters on specific contexts, or even on the server side Session Manager (to apply this setting to all deployed webapps on the server).

Outlined in the Session Management documentation.

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app
  xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
  version="2.5">
  ...
  <context-param>
    <param-name>org.eclipse.jetty.servlet.SessionCookie</param-name>
    <param-value>XSESSIONID</param-value>
  </context-param>
  <context-param>
    <param-name>org.eclipse.jetty.servlet.SessionIdPathParameterName</param-name>
    <param-value>xsessionid</param-value>
  </context-param>
  ...
</web-app>

Jetty also supports the Servlet 3.0 session-config name configuration

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app
   xmlns="http://java.sun.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
   metadata-complete="true"
   version="3.0">

   <session-config>
      <comment>This is my special cookie configuration</comment>
      <domain>foo.com</domain>
      <http-only>false</http-only>
      <max-age>30000</max-age>
      <path>/my/special/path</path>
      <secure>true</secure>
      <name>FOO_SESSION</name>
   </session-config>
</web-app>

Tomcat - context.xml

<Context path="/myApp" sessionCookieName="myCustomSessionId">

Latest tomcat

Tomcat no longer accepts non-specification compliant name-only cookies by default. However, a new system property has been added, org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY, that can be used to accept name-only cookies.

IBM Websphere 6.1

Servers > Application servers > server_name > Web container settings > Session management > Enable cookies

Cookie Name - your new name

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top