Tomcat – Disable JSESSIONID in URL

When doing Testing to cover PCI Requirement 6, i face with issue exposed session id  in url, so i write this guie to help other one sort down their time to fix this issue. To fix this issue we have some solutions depend on environment.;jsessionid=557206C363324F1267A24AB769CA0DE4529.node01

1.Tomcat 6

In tomcat 6 we can disable by using disableURLRewriting. We create context.xml file and put following lines and make sure cookie is enable

<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">

2 . Tomcat 7 or above

With Tomcat 7 or above we can add follow lines into web.xml


Or we can using programatic



Leave a Reply