Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News The Problem with JSessionId

The Problem with JSessionId

An article on looks at the negative aspects of using the jsessionid technique for cookieless sessions in Java web applications. A Google search for "JSessionid" reveals sites such as Sun's Download Center using the technique. The article points a number of issues with doing so:
  • Every link must be generated with HttpServletRequest.encodeURL() or mechanisms such as a JSTL tag
  • Search engines penalize sites which have identical content from multiple unique URLs
  • The session is more easily spoofed by hackers
In response to this the author recommends requiring cookie support to store sessions. The article includes an example servlet filter to prevent the generation of session identifiers on urls.

Rate this Article