When writing JSP programs, it is often found that there is a jsessionid parameter in the url, which disappears after refreshing. Some people think this is a bug.
This is not a bug. When a new session is created, the server is not sure whether the client supports cookies, so it generates a cookie with the value of jsessionid in the URL. When the client returns with the cookie for the second time, the server knows that the jsessionid is not required, so it deletes it. If the client does not return with a cookie, the server will continue to add the jsessionid parameter to the url.
But now it's almost hard to imagine browsers that don't support cookies. The jsessionid parameter may also cause certain problems for SEO and security.
Impact on SEO
Some search engines may penalize (can't find a better word to describe it) sites that have multiple different urls but the same content. Because the sessionid is unique, multiple search bots will return the same content but with different urls.
This is a serious problem. Let's try to use Google to search inurl:;jsessionid, Google's search results: About 211,000,000 results (0.25 seconds)
safe question
Including the sessionId in the url is not a wise move, it will be convenient for the attacker.
solution
Unfortunately the Servlet Specification and Servlet Containers do not provide a standard way to forbid jsessionid in urls.
But we can solve this problem through servlet filter.
package com.lgete.web.filter; import java.io.IOException; import javax.servlet.*; import javax.servlet.http.*; /** * @author Zhu Jia <a * href="mailto:[email protected]">[email protected]</a> * */ public class URLSessionFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (!(request instanceof HttpServletRequest)) { chain.doFilter(request, response); return; } HttpServletResponse httpResponse = (HttpServletResponse) response; HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper( httpResponse) { public String encodeRedirectUrl(String url) { return url; } public String encodeRedirectURL(String url) { return url; } public String encodeUrl(String url) { return url; } public String encodeURL(String url) { return url; } }; chain.doFilter(request, wrappedResponse); } public void init(FilterConfig filterConfig) { } public void destroy() { } }
Add the following in web.xml:
<filter>
<filter-name>URLSessionFilter</filter-name>
<filter-class>zj.web.filter.URLSessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>URLSessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>