Session ID conveyed as part of URL

Hello,
We have build struts based application,deployed on Tomcat and Weblogic. Sometimes while navigating web pages jsessionid is appended to URL which is not required by our client.Is there any way to truncate sessionid from URL.

If some changes from server side is required ,Please also tell me which all files needed to be changed both at Tomcat as well as on Weblogic.

Thanks in advance

I guess using the encodeURL causes this kind of behaviour. Check in case your application is using it somewhere. Before removing make sure that if the client does not support cookies then it might be prety hard for you to maintain the state.

Originally posted by Anupam Sinha:
I guess using the encodeURL causes this kind of behaviour. Check in case your application is using it somewhere. Before removing make sure that if the client does not support cookies then it might be prety hard for you to maintain the state.

Hi Anupam thanks for reply,
Problem is client does not support cookies,so we have to find some solution
which overcome this problem, might be some changes at server side for redirection rule or something.Any ideas will be appreciated.

I think that it would be pretty difficult to maintain the state in case you are not using URL rewriting and are also not using cookies. Can you switch over to https. Probably that might help you.

JSP sessions are maintained in one of two ways.
Cookies or URL Re-writing.

If your client doesn't support cookies and you're using sessions, then the session id in the url will need to stay.

There is actually a third way too.
It can use the mechanisms provided by SSL.
[ March 10, 2006: Message edited by: Ben Souther ]

Originally posted by Anupam Sinha:
I think that it would be pretty difficult to maintain the state in case you are not using URL rewriting and are also not using cookies. Can you switch over to https. Probably that might help you.

Hi Anupam thanks for reply,
We are already using https,there is one confusion in your reply.What exactly do you mean by URL rewriting?

OK let me explain you my problem further.First, We are using servlet API HttpSession object for maintaining session information does it mean same as URL Rewriting?

Second, jsessionid is displayed only once when we access our Application URL and click on any of one link within application , after that jsessionid never appears in URL within same browser.In short for every new browser,jsessionid will appear once.


I hope that with these two points problem will be more clear to you.

thanks and suggestion will be appreciated.

I guess that its the second time you request for a page that the session ID is displayed. For example : After login the second request that the client sends in contains the jsessionID?

Well probably I will also have to search a solution if possible. I haven't ever come across such a scenario. Probably Ben, Bear or David would be in a better position to help. Will try and think about this one.

URL re-witing is simply suffixing the URL with the session ID. Yeah if you are using Sessions then the container needs to maintain sessions and for the container that would be either through cookies and/or URL re-writing.

If you are using https. I guess thats a protocol that can maintain state?
[ March 10, 2006: Message edited by: Anupam Sinha ]

If you are generating your URLs using struts via the html:??? tag, all URLs on the first entry point into your application referencing your site are automatically rewritten. Why? Because the container does not know if the browser supports cookies or not. After the first request, the container will then find out that the browser supports cookies, and this, will not need to rewrite any URLs.

Second, jsessionid is displayed only once when we access our Application URL and click on any of one link within application , after that jsessionid never appears in URL within same browser.In short for every new browser,jsessionid will appear once.

For the first time container uses both cookies as well as URL-Rewriting for maintaining session. When client accepts cookies then JSESSIONID will NOT be appended to your URL. As per what you had said this should be the case.

You had also mentioned your application also uses HTTPS. Probably that might have been used initially for transfering user crendentials safely and switch back to HTTP.

If you are using https. I guess thats a protocol that can maintain state?

Yes HTTPS maintains session internally. NO Cookie (or) URLRewriting is required.

Any solution for the above issue?It would be very helpful,if you could provide a any updates on this..Most welcome