Stack Overflow
Stack Overflow

Questions tagged [jsessionid]

JSESSIONID is the name of the tracking parameter defined by the Java servlet API.

JSESSIONID is the name of the tracking parameter defined by the Java servlet API. The parameter can either be set as a cookie or as part of the url.
If a request specifies a JSESSIONID, the server will use it if it determines if it is valid. If the JSESSIONID in the request is missing or invalid, the server generates a new unique one.
Sessions can be configured to time out (usually 30 minutes) after which time the session id is no longer valid.

Related tags:

461 questions
15
votes
3 answers

How to avoid ;jsessionid=XXX on the first call to a page? it works if first page is jsp

I have an application which uses the welcome-page index.jsp with an the contents of the iframe is a jsf page. If I access index.jsp I see a cookie already on the first get in firebug: Set-Cookie …
Toskan
  • 13,911
  • 14
  • 95
  • 185
13
votes
3 answers

How to set cookie domain and path with Spring boot

In Tomcat, we can do it like this: I want to share the cookie for second level domain with Spring Boot, how to do it?
zhe zhu
  • 131
  • 1
  • 1
  • 3
13
votes
2 answers

Setting httponly in JSESSIONID cookie (Java EE 5)

I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader(). When…
Mythandros
  • 131
  • 1
  • 2
  • 4
12
votes
1 answer

Tomcat 7 - JSESSIONID cookie is not accessible from JavaScript code

Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript? Using Tomcat 6: alert(document.cookie); // JSESSIONID=8675309ABCDEF... Using Tomcat…
Jeff R.
  • 371
  • 1
  • 3
  • 9
12
votes
1 answer

Why is jsessionid appearing in Wicket URLs when cookies are enabled?

I notice that the first time a user visits my site the Wicket-generated URLs contain a jsessionid, rather than relying on the cookie for session information. The cookie does get set successfully, and if the user simply reloads the page, the…
George Armhold
  • 30,824
  • 50
  • 153
  • 232
12
votes
5 answers

Why remember me token?

While implementing the "remember me" feature for a website, why do we complicate things and have a token called remember me token apart from a session token. To the best of my understanding, remember me token can be used to login and create a new…
Ashish
  • 3,028
  • 5
  • 28
  • 35
11
votes
2 answers

weblogic jsessionid

I run Weblogic 10.3 locally and have a question about the sessionId that it generates. When i print session.getId() i see something that resembles this: BBp9TAACMTglQ2TDFAKR4tpyXg73LZDQJ2PtT9x8htG1tWY122aa!869187422!1308677666322 what are these…
Elijah
  • 1,252
  • 3
  • 21
  • 32
11
votes
2 answers

How to prevent jboss node name from being added to sessionid

Recently, we have upgraded our application server from JBoss EAP6.2 to EAP7.0. Even though it runs non-HA profile aka standalone.xml, JBoss adds jboss.node.name at the end of JSESSIONID cookie. For example, Spring Boot generates a JSESSIONID as…
Bunyamin Coskuner
  • 8,719
  • 1
  • 28
  • 48
10
votes
3 answers

JBoss 7.0.1 running without jsessionid in the URL is not working

Because of some security reasons I deceided to disable session tracking by jsessionid in URL. Before I changed my web.xml to the one below, I had on the first time I visited the page a jsessionid in the url, after clicking the first link, it never…
Joergi
  • 1,527
  • 3
  • 39
  • 82
10
votes
3 answers

Apache Tomcat 7 Changing JSESSIONID on Every Request

This issue is driving me insane, so maybe someone could help me understand what the issue is. I have a tomcat web application being fronted by HAProxy. HAProxy is also doing SSL offloading, and is configured to use sticky sessions. I am using…
Nobody
  • 690
  • 2
  • 9
  • 18
10
votes
1 answer

Can someone who merely knows my current JSESSIONID impersonate / hijack my session (Tomcat 7/Glassfish 3.2))?

I'm looking for a plain English, "for dummies" explanation of how does JSESSIONID work from security aspects Can someone who merely knows my current JSESSIONID impersonate / hijack my session? In what scenarios JSESSIONID will be part of the URL,…
Eran Medan
  • 44,555
  • 61
  • 184
  • 276
9
votes
1 answer

How can i get session id in java

I want to build an api in java to solve the security image problem occurred while moving one page to another page in any website. How can i get the session id and cookies so that i can post it with the security image string. Thanks
Tokendra Kumar Sahu
  • 3,524
  • 11
  • 28
  • 29
9
votes
2 answers

Grails without session

I noticed that grails applications, as most other java based web applications, always creates a session, even when it is not used. Is it possible to set the JSESSIONID cookie only when needed, eg. when someone tries to log in?
rdmueller
  • 10,742
  • 10
  • 69
  • 126
8
votes
3 answers

How to set and get JSESSIONID cookie in VBA?

I'm writing a VBA web service client in Excel 2010 using MSXML2.XMLHTTP60 for my Java REST web services hosted on Tomcat 8.5.5. In VBA, I want to snag the string JSESSIONID=E4E7666024C56427645D65BEB49ADC11 from a response and set it in a subsequent…
Tamara Aviv
  • 885
  • 1
  • 11
  • 28
8
votes
1 answer

jsessionID gets appended to the url when running GAE devserver

For some reason string like: ;jsessionid=SESSION_HERE gets added to urls when I visit my app deployed to GAE devserver. This messes things up since for some of the urls it cannot be parsed as as a GET parameter at all (sometimes it ends up with urls…
user2935601
  • 83
  • 3
1
2
3
30 31