日期:2014-05-16  浏览次数:20354 次

去除URL后面的jsessionid
jsessionid的危害及去除解决方案,原文:http://randomcoder.com/articles/jsessionid-considered-harmful

其实就是加个filter截取所有URL并进行重写:
public class DisableUrlSessionFilter implements Filter {

	@Override
	public void destroy() {
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		if (!(request instanceof HttpServletRequest)) {
			chain.doFilter(request, response);
			return;
		}
		HttpServletRequest httpRequest = (HttpServletRequest) request;
		HttpServletResponse httpResponse = (HttpServletResponse) response;
		if (httpRequest.isRequestedSessionIdFromURL()) {
			HttpSession session = httpRequest.getSession();
			if (session != null)
				session.invalidate();
		}
		HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
				httpResponse) {
			public String encodeRedirectUrl(String url) {
				return url;
			}

			public String encodeRedirectURL(String url) {
				return url;
			}

			public String encodeUrl(String url) {
				return url;
			}

			public String encodeURL(String url) {
				return url;
			}
		};
		chain.doFilter(request, wrappedResponse);
	}

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
	}


}

然后是web.xml的配置:
	<!--to disable jsessionid in url  -->
	<filter>
	  <filter-name>
	    DisableUrlSessionFilter
	  </filter-name>
	  <filter-class>
	   com.abc.web.filter.DisableUrlSessionFilter
	  </filter-class>
	</filter>
	
	<filter-mapping>
	  <filter-name>DisableUrlSessionFilter</filter-name>
	  <url-pattern>/*</url-pattern>
	</filter-mapping>
1 楼 murener 2011-12-30  
那session不是丢失了吗?
2 楼 twovs 昨天  
他根本就没试验过,只是照抄而已,urljsessionid
根本不理会这个filter,照样带着