Stack Overflow
Stack Overflow

Questions tagged [jsessionid]

JSESSIONID is the name of the tracking parameter defined by the Java servlet API.

JSESSIONID is the name of the tracking parameter defined by the Java servlet API. The parameter can either be set as a cookie or as part of the url.
If a request specifies a JSESSIONID, the server will use it if it determines if it is valid. If the JSESSIONID in the request is missing or invalid, the server generates a new unique one.
Sessions can be configured to time out (usually 30 minutes) after which time the session id is no longer valid.

Related tags:

441 questions
290
votes
5 answers

Under what conditions is a JSESSIONID created?

When / what are the conditions when a JSESSIONID is created? Is it per a domain? For instance, if I have a Tomcat app server, and I deploy multiple web applications, will a different JSESSIONID be created per context (web application), or is it…
joshjdevl
  • 6,652
  • 12
  • 43
  • 57
69
votes
8 answers

Is it possible to disable jsessionid in tomcat servlet?

Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.
Roy Chan
  • 2,728
  • 6
  • 33
  • 42
57
votes
7 answers

Changing cookie JSESSIONID name

I have a requirement of having to run multiple tomcat server in single physical box. While accessing these from a browser, when user switches between the applications, it results in logging out the user previously access application. This is because…
ramanr
  • 685
  • 1
  • 7
  • 11
44
votes
3 answers

What is a host only cookie?

I would like to know what is a host only cookie. While retrieving a form auth, browser gets in the headers a JSESSIONID cookie shown as host only.
jacktrades
  • 6,766
  • 13
  • 50
  • 80
32
votes
7 answers

jsessionid is occurred in all urls which are generated by jstl tag

I've got some strange bug: when I open page first time in some browser all references has jsessionid parameter (like ). When I press F5 or refresh the page by any other ways all that stuff is…
Roman
  • 59,060
  • 84
  • 230
  • 322
29
votes
10 answers

how to refresh JSESSIONID cookie after login

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomcat sets this cookie when our stateless Login Page loads, but before…
Nathan Beach
  • 2,187
  • 1
  • 21
  • 25
28
votes
2 answers

JSESSIONID Cookie with Expiration Date in Tomcat

What's the best way to set an expiration date for the JSESSIONID cookie sent by Tomcat for a servlet session? By default, the expiration date of the cookie seems to be 'session', which means that the session disappears in the client as soon as the…
Tim Jansen
  • 3,220
  • 2
  • 22
  • 27
27
votes
4 answers

Spring Security Sessions without cookies

I'm trying to manage sessions in Spring Security without leveraging cookies. The reasoning is - our application is displayed within an iframe from another domain, we need to manage sessions in our application, and Safari restricts cross-domain…
Phas1c
  • 838
  • 2
  • 9
  • 21
25
votes
3 answers

How to properly set JSESSIONID cookie path behind reverse proxy

My web app is running in Tomcat at http://localhost:8080/example.com/ but it is being reverse proxied from Apache that is serving up http://example.com/ on port 80. My web app looks at the request.getHeader("x-forwarded-host") header to know that…
Stephen Ostermiller
  • 18,578
  • 8
  • 74
  • 95
25
votes
4 answers

Spring boot configure custom jsessionid for embedded server

I want to configure my servlet context, such as setting a custom jsessionId key (see Changing cookie JSESSIONID name) I believe I can use the SpringBootServletInitializer when running a WAR file, manipulating the servletContext in onStartup().…
tkruse
  • 8,363
  • 5
  • 43
  • 70
22
votes
8 answers

Same-Site flag for session cookie in Spring Security

Is it possible to set Same-site Cookie flag in Spring Security? And if not, is it on a roadmap to add support, please? There is already support in some browsers (i.e. Chrome).
Tomáš Hála
  • 231
  • 1
  • 2
  • 4
20
votes
5 answers

remove jsessionid in url rewrite in spring mvc

I am using spring MVC and having a problem in jsessionid, what I found is that jsessionid is injected in the url if cookies isn't enabled in the browser producing a url like…
mmohab
  • 2,073
  • 4
  • 23
  • 40
20
votes
6 answers

Logout leaves behind JSESSIONID on the browser. How to clear it?

I am using the following code for logging out a user off my system. /** * This function helps to set the session attribute for the present user to null and then * removes the attribute itself and this helps in clearing the session * @param…
Shiv Kumar Ganesh
  • 3,701
  • 8
  • 40
  • 75
15
votes
1 answer

How to make Spring Security OAuth2 really stateless / get rid of "state" parameter?

I'm currently working on a project where we want the user to sign in via Facebook and other OAuth2 providers. Furthermore the REST api should be stateless. Therefore no cookies/jsessionids should be created/utilized. For authorization against the…
andy
  • 1,404
  • 1
  • 16
  • 31
15
votes
3 answers

How to avoid ;jsessionid=XXX on the first call to a page? it works if first page is jsp

I have an application which uses the welcome-page index.jsp with an the contents of the iframe is a jsf page. If I access index.jsp I see a cookie already on the first get in firebug: Set-Cookie …
Toskan
  • 11,184
  • 12
  • 75
  • 144
1
2 3
29 30