Sunday, 30 January 2011

Remove jsessionID from URL (java)

Ø  How is session maintained in java applications?

Session can be maintained using one of the following mechanisms:

1.       Cookies – Server generates name value pair which is stored by the web browser on user’s computer.  Browser sends the information stored in cookie back to the server each time it access the application, so that server can recognize that the new request is part of existing session.
2.       URL rewrite – Server appends session id using parameter jsessionID to all the URLs present on the page returned to the browser. When the user clicks on any of the URLs onthis page, jsessionID is sent back by the browser to the server and the server recognizes that this request is part of an existing session. (for e.g;jsessionid=390018FF5697193A9EFF4EC43B3695B3?param1=value1.
 Methods encodeURL() and encodeRedirectedURL() can be used to implement this.)
3.       Hidden variables – We can also use hidden variables to maintain session, although in true sense, it would be a request based system, not a session based system.

Find out more about maintaining sessions on Oracle website.

Ø  Why is jsessionid appended to some URLs even after cookies are enabled?
If the cookies are disabled on the browser or cookies are absent, and URL is being encoded, jsessionid will be appended to the URL
Note that even when cookies are enabled, if URLs are being encoded, java application appends jsessionid to all the URLs for the first request. This happens because when the first request is sent, the server doesn’t know if cookies are enabled on the browser.

Ø  Why do we need to remove jSession ID from URL’s?
Distinct resources in your applications should be identifiable with distinct URLs. Here are a few advantages of doing this:
1.       More effective search engine optimization
2.       Easier to enable caching based on URL
3.       Cleaner, more user friendly URL

Ø  How to enable cookies for maintaining session on Tomcat server?
Cookies are by default enabled on Tomcat server. They can be turned off by putting cookies=false in <context> element defined for your application.

Ø  How/where to write rules to remove jessionid?

1.       Add a URLRewrite module to your project:
a.       Entry in pom.xml to include dependency to URLRewrite module:

b.      Entry in web.xml:

c.       Add urlrewrite.xml in WEB-INF directory

            Find more information on adding url rewrite module for java on

2.       Add following outbound rules to urlrewrite.xml file to ensure that parameter jsessionID is removed from every outgoing URL:
    <outbound-rule encodefirst="true">
        <note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
        <to encode="false">/$1?$2</to>

    <outbound-rule encodefirst="true">
        <note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
        <to encode="false">/$1</to>


  1. Thank you very much, I was looking for a solutio for this.

  2. Thanks a lot! very useful and helpful!

  3. A quick question: What is pom.xml and where should it be located?

  4. Hey. Thanks for the article but in my case it does not work. I'm using a new version 4.0.3

  5. These information are great and it help in creating a awesome blog. I just follow all those steps and make a great blog. Thanks for it!
    SEO Tips and Tricks

  6. hi I am running apache tomcat 7.0.68 and would like configurations to remove sessionid in the url.What configs do i need to do and in which files and locations.