It was not the ;jsessionidxx, but changes to Spring StrictHttpFirewall, the default config now does not allow some characters in the url :
- Rejects URLs that are not normalized to avoid bypassing security constraints... - Rejects URLs that contain characters that are not printable ASCII characters. - Rejects URLs that contain semicolons. <https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowSemicolon-boolean-> - Rejects URLs that contain a URL encoded slash. <https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowUrlEncodedSlash-boolean-> - Rejects URLs that contain a backslash. <https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowBackSlash-boolean-> - Rejects URLs that contain a URL encoded percent. <https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowUrlEncodedPercent-boolean-> 26-Apr-2018 15:16:43.356 SEVERE [ajp-nio-8009-exec-2] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";" at org.springframework.security.web.firewall.StrictHttpFirewall .rejectedBlacklistedUrls(StrictHttpFirewall.java:265) at org.springframework.security.web.firewall.StrictHttpFirewall .getFirewalledRequest(StrictHttpFirewall.java:245) Had to go with defaulting to <tracking-mode>COOKIE</tracking-mode> as suggested, rather than overriding Spring defaults. Cheers Greg On 27 April 2018 at 13:23, Berneburg, Cris J. - US <cberneb...@caci.com> wrote: > Hi Greg > > -----Original Message----- > From: Greg Huber [mailto:gregh3...@gmail.com] > Sent: Thursday, April 26, 2018 4:53 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Tomcat 9 ;jsessionid > > > Hello, > > > > One thing I have noticed with Tomcat 9.0.x I get alot > > ;jsessionid=xxx appended to my urls. This did not happen with 8.5.x. > > > > /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB > > > > 500 Internal Server Error > > /images/image_32x32.png;jsessionid= ... 23784378307846F: 1 Time(s) > > /images/image_32x32.png;jsessionid= ... 85D9B02C5A030FF: 1 Time(s) > > > > From previous experience this happens when there is no session. > > I use struts and have used encode="false" on the tags to prevent this: > > > > <s:url value="/" encode="false" /> > > > > Also I have used (in the past) <%@ page session="false" %> but have > > commented this out as it causes down stream problems for me. > > > > Would there be a reason why these has now started happening on 9? > > > > Cheers Greg > > A while ago we had problems in TC6 with new sessions being created for > each image. The issue was that there was an invalid character, underscore > "_", in the URL. I can't remember if Internet Explorer was acting > weird(er) or if that was expected TC behavior for an invalid URL. > > Also, Chris Shultz mentioned that jsessionid appended to the URL can mean > that cookies are not being used. > > Might your problem be more than one issue combined? > > -- > Cris Berneburg > CACI Lead Software Engineer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
