当前位置: 文江博客话题详情

是否可以在 tomcat servlet 中禁用 jsessionid?

发布于 2024-07-24 18:51:05 字数 61 浏览 8 评论 0原文

是否可以关闭tomcat中url中的jsessionid? jsessionid 似乎对搜索引擎不太友好。

原文

Is it possible to turnoff jsessionid in the url in tomcat? the jsessionid seems not too search engine friendly.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

怪异←思 2024-07-31 18:51:05

您可以仅针对使用此过滤器的搜索引擎禁用,但我建议将其用于所有响应,因为它比搜索引擎不友好更糟糕。 它公开了可用于某些安全漏洞的会话 ID(更多信息)。

Tomcat 6(6.0.30 之前的版本)

您可以使用tuckey 重写过滤器

Tuckey 过滤器的配置示例

<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?
lt;/from>
  <to>$1$2$3</to>
</outbound-rule>

Tomcat 6(6.0.30 及更高版本)
您可以使用 disableURLRewriting 在上下文配置中禁用此行为。
Tomcat 7 和 Tomcat 8
来自 Tomcat从 7 开始,您可以在会话配置中添加以下内容。
<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

You can disable for just search engines using this filter, but I'd advise using it for all responses as it's worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info).
Tomcat 6 (pre 6.0.30)
You can use the tuckey rewrite filter.
Example config for Tuckey filter:
<outbound-rule encodefirst="true">
  <name>Strip URL Session ID's</name>
  <from>^(.*?)(?:\;jsessionid=[^\?#]*)?(\?[^#]*)?(#.*)?
lt;/from>
  <to>$1$2$3</to>
</outbound-rule>

Tomcat 6 (6.0.30 and onwards)
You can use disableURLRewriting in the context configuration to disable this behaviour.
Tomcat 7 and Tomcat 8
From Tomcat 7 onwards you can add the following in the session config.
<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

 回复 原文 
奶茶白久 2024-07-31 18:51:05
 <session-config>
     <tracking-mode>COOKIE</tracking-mode>
 </session-config> 

Tomcat 7 和 Tomcat 8 支持 Web 应用程序 web.xml 中的上述配置,这会禁用基于 URL 的会话。
 <session-config>
     <tracking-mode>COOKIE</tracking-mode>
 </session-config> 

Tomcat 7 and Tomcat 8 support the above config in your web-app web.xml, which disables URL-based sessions.
 回复 原文 
唐婉 2024-07-31 18:51:05
在 Tomcat 6.0 中可以通过以下方式执行此操作:
禁用URLRewriting
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
例如,
<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>

在 Tomcat 7.0 中,这是通过应用程序中的以下内容进行控制的:
ServletContext.setSessionTrackingModes()
Tomcat 7.0 遵循 Servlet 3.0 规范。
It is possible to do this in Tomcat 6.0 with:
disableURLRewriting
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
e.g.
<?xml version='1.0' encoding='utf-8'?>
<Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true">
</Context>

Within Tomcat 7.0, this is controlled with the following within an application:
ServletContext.setSessionTrackingModes()
Tomcat 7.0 follows the Servlet 3.0 specifications.
 回复 原文 
掐死时间 2024-07-31 18:51:05
在所有 URL 上使用 Filter,将 response 包装在 HttpServletResponseWrapper 中,仅返回与 encodeRedirectUrl 相同的 URL, encodeRedirectURLencodeUrlencodeURL
Use a Filter on all URLs that wraps the response in a HttpServletResponseWrapper that simply returns the URL unchanged from encodeRedirectUrl, encodeRedirectURL, encodeUrl and encodeURL.
 回复 原文 
萌酱 2024-07-31 18:51:05
引用Pool的回答:
您可以使用 tuckey 重写过滤器。
您可以禁用仅搜索
使用这个过滤器的引擎,但我会
建议将其用于所有响应
它比搜索引擎还糟糕
不友好。 它公开了会话 ID
可以用于一定的安全性
漏洞利用(更多信息)。
值得一提的是,即使 jsessionid 不再可见,这仍然允许基于 cookie 的会话处理。
(摘自他的另一篇文章:我可以转关闭 web.xml 中的 HttpSession?
PS。 我没有足够的声誉来发表评论,否则我会将此添加到他上面的帖子中作为评论。
Quote from Pool's answer:
You can use the tuckey rewrite filter.
You can disable for just search
engines using this filter, but I'd
advise using it for all responses as
it's worse than just search engine
unfriendly. It exposes the session ID
which can be used for certain security
exploits (more info).
It's worth mentioning, that this will still allow cookie based session handling even though the jsessionid is not visible anymore.
(taken from his other post: Can I turn off the HttpSession in web.xml?)
PS. I don't have enough reputation to comment, otherwise I would have added this to his post above as a comment.
 回复 原文 
清引 2024-07-31 18:51:05
在 Tomcat 6.0 中,您可以在 Tomcat 安装的 /config 路径中​​的 context.xml 中使用disableURLRewriting="true"。
http://tomcat.apache.org/tomcat-6.0-doc/config /context.html
context.xml 文件
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context disableURLRewriting="true">

    <!-- Default set of monitored resources -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->

    <!-- Uncomment this to enable Comet connection tacking (provides events
         on session expiration as well as webapp lifecycle) -->
    <!--
    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
    -->

</Context>

...
现在 tomcat 输出它的搜索引擎友好...
享受
In Tomcat 6.0 you could use disableURLRewriting="true" into context.xml from your /config path of you tomcat instalation.
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
context.xml file
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context disableURLRewriting="true">

    <!-- Default set of monitored resources -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->

    <!-- Uncomment this to enable Comet connection tacking (provides events
         on session expiration as well as webapp lifecycle) -->
    <!--
    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
    -->

</Context>

...
Now tomcat output it's search engine friendly...
Enjoy
 回复 原文 
久光 2024-07-31 18:51:05
另外,如果 Tomcat 前面有 Apache,则可以使用 mod_rewrite 过滤器删除 jsession。
将以下内容添加到您的 apache 配置中。
#Fix up tomcat jsession appending rule issue
RewriteRule  ^/(.*);jsessionid=(.*) /$1 [R=301,L]

这将执行 301 重定向到没有 jsessionid 的页面。 显然这将完全禁用 url jsessionid,但这正是我所需要的。
干杯,
标记
Also if you have Apache in front of Tomcat you can strip out the jsession with a mod_rewrite filter.
Add the following to your apache config.
#Fix up tomcat jsession appending rule issue
RewriteRule  ^/(.*);jsessionid=(.*) /$1 [R=301,L]

This will do a 301 redirect to a page without the jsessionid. Obviously this will completely disable url jsessionid's but this is what I needed.
Cheers,
Mark
 回复 原文 
花开柳相依 2024-07-31 18:51:05
默认情况下,Tomcat 服务器中启用了 cookie(您可以通过在 server.xml 元素中使用 cookies=true 显式设置它)。 启用 cookie 意味着 jsessionID 不会附加到 URL,因为会话将使用 cookie 进行管理。
然而,即使在启用 cookie 后,jsessionID 也会附加到第一个请求的 URL 中,因为网络服务器在该阶段并不知道 cookie 是否已启用。 要删除此类 jsessionID,您可以使用 tuckey 重写规则:
您可以在 http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html
<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
    <from>^/(.*);jsessionid=.*[?](.*)
lt;/from>
    <to encode="false">/$1?$2</to>
</outbound-rule>

<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
    <from>^/(.*);jsessionid=.*[^?]
lt;/from>
    <to encode="false">/$1</to>
</outbound-rule>

您可以找到更多信息这位于 http://javatechworld.blogspot .com/2011/01/how-to-remove-jsessionid-from-url-java.html
By default, cookies are enabled in Tomcat server(you can explicitly set it by using cookies=true in element of server.xml). Enabling cookies means that jsessionID will not be appended to URL's since session will be managed using cookies.
However, even after cookies are enabled, jsessionID's are appended to the URL for first request as the webserver doesn't know at that stage if cookies have been enabled. To remove such jsessionIDs, you can using tuckey rewrite rules:
You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html
<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
    <from>^/(.*);jsessionid=.*[?](.*)
lt;/from>
    <to encode="false">/$1?$2</to>
</outbound-rule>

<outbound-rule encodefirst="true">
    <note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
    <from>^/(.*);jsessionid=.*[^?]
lt;/from>
    <to encode="false">/$1</to>
</outbound-rule>

You can find more information on this at http://javatechworld.blogspot.com/2011/01/how-to-remove-jsessionid-from-url-java.html
 回复 原文 
稳稳的幸福 2024-07-31 18:51:05
在 tomcat 7 及更高版本中,您可以在 tomcat/conf/context.xml 中添加此内容
<Context cookies="false">

以禁用 JSESSIONID。 有关帮助文档的更多信息(请参阅 cookies 部分)。
in tomcat 7 and above, you can add this in tomcat/conf/context.xml
<Context cookies="false">

to disable JSESSIONID. More on this help doc (refer cookies section).
 回复 原文 
~没有更多了~
关于作者
 念﹏祤嫣
暂无简介
0 文章
0 评论
24 人气
 发私信
相关话题
更多 
热门标签
操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多 
推荐作者
1CH1MKgiKxn9p
文章 0 评论 0
ゞ记忆︶ㄣ
文章 0 评论 0
JackDx
文章 0 评论 0
信远
文章 0 评论 0
yaoduoduo1995
文章 0 评论 0
霞映澄塘
文章 0 评论 0
更多 
友情链接
文江博客
       
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
     
    原文