jsessionid的危害及去除解决方案,原文:
http://randomcoder.com/articles/jsessionid-considered-harmful
其实就是加个filter截取所有URL并进行重写:
然后是web.xml的配置:
其实就是加个filter截取所有URL并进行重写:
- public class DisableUrlSessionFilter implements Filter {
- @Override
- public void destroy() {
- }
- @Override
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- if (!(request instanceof HttpServletRequest)) {
- chain.doFilter(request, response);
- return;
- }
- HttpServletRequest httpRequest = (HttpServletRequest) request;
- HttpServletResponse httpResponse = (HttpServletResponse) response;
- if (httpRequest.isRequestedSessionIdFromURL()) {
- HttpSession session = httpRequest.getSession();
- if (session != null)
- session.invalidate();
- }
- HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
- httpResponse) {
- public String encodeRedirectUrl(String url) {
- return url;
- }
- public String encodeRedirectURL(String url) {
- return url;
- }
- public String encodeUrl(String url) {
- return url;
- }
- public String encodeURL(String url) {
- return url;
- }
- };
- chain.doFilter(request, wrappedResponse);
- }
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- }
- }
然后是web.xml的配置:
- <!--to disable jsessionid in url -->
- <filter>
- <filter-name>
- DisableUrlSessionFilter
- </filter-name>
- <filter-class>
- com.abc.web.filter.DisableUrlSessionFilter
- </filter-class>
- </filter>
- <filter-mapping>
- <filter-name>DisableUrlSessionFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>