code

Its all just ones and zeroes isn't it? 
Tags


Filed under

jsessionid

 
January 25, 2010

Disabling JSESSIONID url sessions in Jetty

We just noticed that on your first visit to http://snapsort.com, all of the links on the page have the java ;JSESSIONID =foo session id on them. In fact, google is indexing some of our pages with these ids in them, and then complaining that we have some pages with duplicate titles!

We're not the only ones who have faced this problem.  Here is a link to a write up claiming that jsessionid is considered harmful, with instructions on how to remove them using a servlet filter. And here's a link to a search on google for pages indexed with jsessionid, I'm seeing 736 million :)

These JSESSIONIDs are meant to be used to support sessions with users who do not have cookies.  Right now we don't have any session state, and even if we did we'd probably live if users without cookies got no session, given they are probably in the minority, and for our site I imagine session features would be little nice-to-haves such as remembering previous camera comparisons, not the end of the world if you don't get those, compared to say a shopping cart at amazon.

So, we're going to get rid of the pesky JESSIONIDs.  JSESSIONIDs begone!

  1. We've added a rewrite rule to NGINX so that if anyone (say, google) comes to our site with a url with a JSESSIONID in it, we'll send them back a 301 permanent redirect response pointing them to a url with the jsessionid stripped.  This will clean up the urls that are already out there, we hope.
  2. We've instructed Jetty to not use URL sessions. This will prevent any more urls with jsessionids in them from getting out.

See general Jetty info on configuring session support

Here is the maven XML to configure Jetty to disable JSESSIONIDs:



<webAppConfig implementation="org.mortbay.jetty.plugin.Jetty6PluginWebAppContext">
  <sessionHandler implementation="org.mortbay.jetty.servlet.SessionHandler">
    <sessionManager implementation="org.mortbay.jetty.servlet.HashSessionManager">
      <!-- Disable url sessions using JSessionID -->
      <sessionURL>none</sessionURL>
    </sessionManager>
  </sessionHandler>
</webAppConfig>

And here is how to do it in Scala code (you can probably translate it to Java easily too).  Note: you only need one of these, I used both to support different ways of launching Jetty.



  val server = new Server(8080)
  val context = new WebAppContext()
  context.setServer(server)
  context.setContextPath("/")
  // Disable JSessionIDs!  this will break cookie-less sessions, we'll live!
  context.getSessionHandler.getSessionManager.setSessionURL("none")
  context.setWar("src/main/webapp")

 

Filed under  //   java   jetty   jsessionid   scala  

Comments [0]