tomcat

Tomcat – Disable JSESSIONID in URL

When doing Testing to cover PCI Requirement 6, i face with issue exposed session id  in url, so i write this guie to help other one sort down their time to fix this issue. To fix this issue we have some solutions depend on environment.

https://webapp.com/main.do;jsessionid=557206C363324F1267A24AB769CA0DE4529.node01

1.Tomcat 6

In tomcat 6 we can disable by using disableURLRewriting. We create context.xml file and put following lines and make sure cookie is enable

<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>

2 . Tomcat 7 or above

With Tomcat 7 or above we can add follow lines into web.xml

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

Or we can using programatic

servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));

 

Leave a Reply