Since my intention is to prevent the user accidentally sharing the url
containing his JSESSIONID url to public,
I did this simple solution :
- Using a filter, applying only to / (not /*)
- Checks for ;JSESSIONID= existence in the url (happens only after login)
- Redirects to /
Here's the simplest code :
public class JsessionIdAvoiderFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain
chain) throws IOException, ServletException {
boolean allowFilterChain = redirectToAvoidJsessionId((HttpServletRequest)
req, (HttpServletResponse) res);
// if its redirected, then no need to continue processing the request
if (allowFilterChain) {
chain.doFilter(req, res);
}
}
public static boolean redirectToAvoidJsessionId(HttpServletRequest req,
HttpServletResponse res) {
String requestURI = req.getRequestURI();
if (requestURI.indexOf(";JSESSIONID=") > 0) {
try {
res.sendRedirect("/");
return false;
} catch (IOException e) {
e.printStackTrace();
}
}
return true;
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
}
<filter>
<display-name>JsessionId Filter</display-name>
<filter-name>jsessionIdAvoiderFilter</filter-name>
<filter-class>web.JsessionIdAvoiderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>jsessionIdAvoiderFilter</filter-name>
<url-pattern>/</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
So far it's been working great for me here.
Warm regards from Jakarta,
Bertie
On Mon, Nov 18, 2013 at 11:33 PM, Michael Chandler <
[email protected]> wrote:
> This happens to me only after login, and I am also using Tomcat.
>
>
>
> *From:* Albert Kam [mailto:[email protected]]
> *Sent:* Friday, November 15, 2013 10:13 AM
> *To:* [email protected]
> *Subject:* Re: Removing ;JSESSIONID=xxx from the url after login ?
>
>
>
> Thanks for sharing.
>
>
>
> I just downloaded the latest tapestry, along with tapestry security
> (shiro) source,
>
> and grepping jsessionid string doesnt show up anything.
>
> I suspect this might be container issue then.
>
>
>
> I wonder if everyone experiencing the same problem uses tomcat only :)
>
>
>
>
>
> On Sat, Nov 16, 2013 at 12:40 AM, Lenny Primak <[email protected]>
> wrote:
>
> I don't remember the exact specifics now (it's been a while since I've
> seen this)
>
> but I will try to answer.
>
>
>
> I am using Tapestry and Tapestry-Security with Shiro. Tapestry-Security
> has it's own Shiro filter
>
> which isn't a "real" Servlet filter but something similar in Tapestry
> world. I am not using pre-built Shiro filter.
>
> I NEVER see ;JSESSIONID anywhere in the URL. Ever.
>
>
>
> On Nov 15, 2013, at 12:14 PM, Albert Kam wrote:
>
>
>
> Hello Lenny, i'm curious about your success story.
>
> Setting session-config works fine also for me, JSESSIONID is gone for all
> urls,
>
> except the url that's produced after a successful login, which in my
> case the session is first created.
>
>
>
> I hope you dont mind asking some specifics :
>
> - Do you use apache shiro filter for login ?
>
> - Do JSESSIONID shows up in the first request for the webapp ?
>
> or perhaps it shows up after the first successful login ?
>
>
>
>
>
> On Fri, Nov 15, 2013 at 11:52 PM, Lenny Primak <[email protected]>
> wrote:
>
> I was able to fix it with previously suggested session-config command in
> web.xml
> Not sure why it didn't work for some people on here but it worked for me
> on glassfish.
>
>
> > On Nov 15, 2013, at 9:01 AM, versatec <[email protected]> wrote:
> >
> > whoops, missed the part where you say the JSESSIONID is appended to url
> > *after *login. On glassfish it happens only when the *login page itself
> is
> > displayed* both when logout redirects to login page or when navigation
> > points to login page first time
> >
> >
> >
> > --
> > View this message in context:
> http://shiro-user.582556.n2.nabble.com/Removing-JSESSIONID-xxx-from-the-url-after-login-tp7579370p7579383.html
> > Sent from the Shiro User mailing list archive at Nabble.com.
> >
>
>
>
>
>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>
>
>
>
>
>
>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>
> The information transmitted, including attachments, is intended only for
> the person or entity to which it is addressed and may contain confidential
> and/or privileged material. Any review, retransmission, dissemination or
> other use of, or taking of any action in reliance upon this information by
> persons or entities other than the intended recipient is prohibited. If you
> received this e-mail in error, please notify the sender immediately by
> replying to the message and deleting the material from your computer.
>
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
