You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by gcsaba2 <gc...@gmail.com> on 2018/04/07 21:17:28 UTC
How to remove jsessionid from the URL?
Hello,
I'm using Wicket 7 with Spring Boot. I've mounted several pages, and for
example when I go to search.html, the ;jsessionid always gets attached to
the URL.
Is there some way to remove the jsessionid from the URLs?
In the tomcat configuration I've already set the tracking-mode to be cookie,
but still wicket puts the jsessionid in the url. What's even worse is that
all the links in the page have the jsessionid appended to the URL, so even
if I click anywhere, it will remain there. I would maybe accept it being
there the first time I visit the website and the session gets established,
but afterwards it's really unnecessary (and ugly).
Thanks,
Csaba
--
Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How to remove jsessionid from the URL?
Posted by Csaba Galyó <gc...@gmail.com>.
Hmm that's weird. I was about to reproduce the issue in private mode like
you said, but this time it worked, the cookies were set.
Then I tried again in normal mode, and it worked there too.
Must be because I restarted Windows :)
Thanks for the help!
Re: How to remove jsessionid from the URL?
Posted by Martin Grigorov <mg...@apache.org>.
On Mon, Apr 9, 2018 at 2:45 PM, gcsaba2 <gc...@gmail.com> wrote:
> This is true, when I go to http://localhost:7777/ it will immediately
> (302)
> redirect me to http://localhost:777/home.html (my home page is mounted
> here).
>
> AFTER that, the home page will 302 redirect me to
> http://localhost:777/home.html;jsessionid=xxx
>
> All the links on the home page will, after this, contain the ;jsessionid
> part, so clicking anywhere will pass on this token in the URL, and it will
> never go away.
>
> If I manually remove the token by typing in the URL
> http://localhost:777/home.html then it will 302 redirect me to the
> http://localhost:777/home.html;jsessionid=xyz URL, but the session ID will
> be different. This means my previous session has been lost and a new one
> has
> been created.
>
> Looking at the HTTP headers, I can see this:
>
> Set-Cookie: JSESSIONID=xyz; HttpOnly
>
> So the website definitely tries to set the session id. But when I click on
> any of the links, in the request headers I will not see the browser sending
> the JSESSIONID cookie back to the server. It looks like the browser forgot
> about it.
>
> There is no time duration in the header, which is correct since this is a
> session cookie.
>
> Btw. isn't it a problem that the cookie name is (upper case) JSESSIONID,
> while the URL has a (lower case) jsessionid?
>
No. The cases are correct.
>
> I'm using an AuthenticatedWebApplication, which has a getWebSessionClass()
> class. I could be wrong, but I think the session class instance should be
> created only once per session. Here, I see it is being created on every
> request.
>
> Also, if I write request.getCookie(JSESSIONID) it will always return null.
>
It seems the browser doesn't send the JSESSIONID cookie. Does it send any
other cookie or all are lost ? You can create a test one in the Dev Tools
Console with document.cookie="name=value"
>
> I did some more tests, and looks like this mostly happens on Firefox. On IE
> and Chrome, after a few clicks, the jsessionid disappears from the URL. So
> what's wrong with Firefox? I'm using the latest version with default
> settings, why wouldn't it remember the session cookie?
>
Start a new instance of Firefox in private mode and try again.
It could be that you have some plugin that forbids cookies.
>
>
>
> --
> Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-
> f1842947.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: How to remove jsessionid from the URL?
Posted by gcsaba2 <gc...@gmail.com>.
This is true, when I go to http://localhost:7777/ it will immediately (302)
redirect me to http://localhost:777/home.html (my home page is mounted
here).
AFTER that, the home page will 302 redirect me to
http://localhost:777/home.html;jsessionid=xxx
All the links on the home page will, after this, contain the ;jsessionid
part, so clicking anywhere will pass on this token in the URL, and it will
never go away.
If I manually remove the token by typing in the URL
http://localhost:777/home.html then it will 302 redirect me to the
http://localhost:777/home.html;jsessionid=xyz URL, but the session ID will
be different. This means my previous session has been lost and a new one has
been created.
Looking at the HTTP headers, I can see this:
Set-Cookie: JSESSIONID=xyz; HttpOnly
So the website definitely tries to set the session id. But when I click on
any of the links, in the request headers I will not see the browser sending
the JSESSIONID cookie back to the server. It looks like the browser forgot
about it.
There is no time duration in the header, which is correct since this is a
session cookie.
Btw. isn't it a problem that the cookie name is (upper case) JSESSIONID,
while the URL has a (lower case) jsessionid?
I'm using an AuthenticatedWebApplication, which has a getWebSessionClass()
class. I could be wrong, but I think the session class instance should be
created only once per session. Here, I see it is being created on every
request.
Also, if I write request.getCookie(JSESSIONID) it will always return null.
I did some more tests, and looks like this mostly happens on Firefox. On IE
and Chrome, after a few clicks, the jsessionid disappears from the URL. So
what's wrong with Firefox? I'm using the latest version with default
settings, why wouldn't it remember the session cookie?
--
Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How to remove jsessionid from the URL?
Posted by Don Ferguson <do...@gmail.com>.
On the very first request, the server doesn't know whether or not cookies
are supported, so encodes the session id in the URL in addition to setting
the cookie. There is a trick that involves forcing the browser to redirect
the first request so that the server can determine that cookies are
supported and omit the session id in the URL.
On Sat, Apr 7, 2018, 9:40 PM gcsaba2 <gc...@gmail.com> wrote:
> Hello,
>
> I'm using Wicket 7 with Spring Boot. I've mounted several pages, and for
> example when I go to search.html, the ;jsessionid always gets attached to
> the URL.
>
> Is there some way to remove the jsessionid from the URLs?
>
> In the tomcat configuration I've already set the tracking-mode to be
> cookie,
> but still wicket puts the jsessionid in the url. What's even worse is that
> all the links in the page have the jsessionid appended to the URL, so even
> if I click anywhere, it will remain there. I would maybe accept it being
> there the first time I visit the website and the session gets established,
> but afterwards it's really unnecessary (and ugly).
>
> Thanks,
> Csaba
>
>
> --
> Sent from:
> http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>