Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how Springboot removes the jsessionid behind URL". In daily operation, I believe many people have doubts about how Springboot removes the jsessionid behind URL. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubt of "how Springboot removes the jsessionid behind URL"! Next, please follow the editor to study!

How to remove the reason why Jsessionid is generated in the jsessionidurl after URL

Jsessionid is an id that indicates session, and it exists in cookie. Generally, it does not appear in url, and the server will take it out of the client's cookie. But if the client disables cookie, it is necessary to rewrite url, explicitly rewriting jsessionid to Url, so that the server can find the id of session through this.

If the cookie requested by the client does not contain JSESSIONID, it will be generated and passed to the client when the server calls request.getSession (). This time the response header will contain the information to set the cookie.

If the cookie requested by the client contains JSESSIONID, when the server calls request.getSession (), it will look up the object according to the JSESSIONID and return it if it can find it, otherwise it will be like not passing the JSESSIONID.

Solution one

Previous versions of springBoot2.0

Make the following configuration in the .yml configuration file

Solution number two

Inherit SpringBootServletInitializer in the startup class, and then override this method (this method does not work in previous versions of springBoot2.0, temporarily take notes)

Public void onStartup (ServletContext servletContext) throws ServletException {super.onStartup (servletContext); / / This will set to use COOKIE only servletContext.setSessionTrackingModes (Collections.singleton (SessionTrackingMode.COOKIE)); / / This will prevent any JS on the page from accessing the / / cookie-it will only be used/accessed by the HTTP transport / / mechanism in use SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig () SessionCookieConfig.setHttpOnly (true);} Java about jsessionid and URL

When writing JSP programs, it is often found that there is a jsessionid parameter in url, which disappears after refreshing. Some people think this is a BUG.

This is not a bug. When a new session is created, server is not sure whether the client supports cookies, so it generates a cookie, which is the value of jsessionid in URL. When the client returns with cookie the second time, the server knows that jsessionid is not required, so it deletes it. If the client does not return with the cookie, the server continues to add the jsessionid parameter to the url.

But now it's almost hard to imagine that browsers don't support cookie. The jsessionid parameter may also cause some problems for SEO and security.

Impact on SEO

Some search engines may punish (can't find a better word for) sites that have multiple different url but have the same content. Because sessionid is unique, multiple search robots will return the same content but different url.

This is a serious problem. Let's try to search for inurl:;jsessionid,Google with google: About 211000000 results (.25 seconds)

Safety problem

It is not a smart move to include sessionId in url, which will facilitate attackers.

The solution

Unfortunately, Servlet Specification and Servlet Containers do not provide a standard way to prohibit jsessionid in url.

But we can solve this problem through servlet filter.

Package com.lgete.web.filter;import java.io.IOException;import javax.servlet.*;import javax.servlet.http.*; / * * @ author Zhu Jia zhujia7895@gmail.com * * / public class URLSessionFilter implements Filter {public void doFilter (ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {if (! (request instanceof HttpServletRequest)) {chain.doFilter (request, response); return } HttpServletResponse httpResponse = (HttpServletResponse) response; HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper (httpResponse) {public String encodeRedirectUrl (String url) {return url;} public String encodeRedirectURL (String url) {return url } public String encodeUrl (String url) {return url;} public String encodeURL (String url) {return url;}}; chain.doFilter (request, wrappedResponse);} public void init (FilterConfig filterConfig) {} public void destroy () {}}

Add the following to web.xml:

URLSessionFilter zj.web.filter.URLSessionFilter URLSessionFilter / * at this point, the study on "how Springboot removes the jsessionid behind URL" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.