Albert, I'm experiencing the exact same issue so I'm curious to know if you find a resolution to this problem. I'm running the same version of Tomcat that you are running and have tried the same things. I hope you can turn up a clue on how to address the issue because I didn't.
Mike From: Albert Kam [mailto:[email protected]] Sent: Thursday, November 14, 2013 6:58 AM To: [email protected] Subject: Re: Removing ;JSESSIONID=xxx from the url after login ? Thank you for sharing your success story ! Sorry that i forgot to mention i already had what you suggested in the web.xml : <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config> I also made sure that the dtd is correctly pointing to 3.0 : <web-app xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; version="3.0"> And i'm running under Tomcat 7.0.42 which already supports servlet 3.0. And actually JSESSIONID showed up _only_ after the login process. There's no more JSESSIONID in any urls afterwards. Here is my related web.xml entries : <!-- has to come first before applying any other filter, otherwise encoding will fail --> <filter> <filter-name>encodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>forceEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter> <display-name>JsessionId Filter</display-name> <filter-name>jsessionIdAvoiderFilter</filter-name> <filter-class>web.JsessionIdAvoiderFilter</filter-class> </filter> <filter> <filter-name>httpMethodFilter</filter-name> <filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class> </filter> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> <filter-mapping> <filter-name>jsessionIdAvoiderFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter-mapping> <filter-name>httpMethodFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config> I also tried swapping place between shiroFilter and jsessionIdAvoiderFilter, but with the same result of still containing the ;JSESSIONID=xxx And this is my shiro filter configuration : <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login"/> <property name="successUrl" value="/"/> <property name="unauthorizedUrl" value="/signup"/> <property name="filterChainDefinitions"> <value> /login = authc /logout = noSessionCreation, logout /** = noSessionCreation, anon </value> </property> </bean> I'm using freemarker, so the session thing in JSP shouldnt be an issue, since i'm using any JSPs. My jsessionIdAvoiderFilter is simple : public class JsessionIdAvoiderFilter implements Filter { @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { if (!(req instanceof HttpServletRequest)) { chain.doFilter(req, res); return; } HttpServletResponse response = (HttpServletResponse) res; // Prevent rendering of JSESSIONID in URLs for all outgoing links HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(response) { @Override public String encodeRedirectUrl(String url) { return url; } @Override public String encodeRedirectURL(String url) { return url; } @Override public String encodeUrl(String url) { return url; } @Override public String encodeURL(String url) { return url; } }; chain.doFilter(req, wrappedResponse); } @Override public void destroy() { } @Override public void init(FilterConfig arg0) throws ServletException { } } Thanks for your time ! The information transmitted, including attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this e-mail in error, please notify the sender immediately by replying to the message and deleting the material from your computer.
