去除URL后面的jsessionid
jsessionid的危害及去除解决方案,原文:http://randomcoder.com/articles/jsessionid-considered-harmful
其实就是加个filter截取所有URL并进行重写:
public class DisableUrlSessionFilter implements Filter {@Overridepublic void destroy() {}@Overridepublic void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {if (!(request instanceof HttpServletRequest)) {chain.doFilter(request, response);return;}HttpServletRequest httpRequest = (HttpServletRequest) request;HttpServletResponse httpResponse = (HttpServletResponse) response;if (httpRequest.isRequestedSessionIdFromURL()) {HttpSession session = httpRequest.getSession();if (session != null)session.invalidate();}HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) {public String encodeRedirectUrl(String url) {return url;}public String encodeRedirectURL(String url) {return url;}public String encodeUrl(String url) {return url;}public String encodeURL(String url) {return url;}};chain.doFilter(request, wrappedResponse);}@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}}<!--to disable jsessionid in url --><filter> <filter-name> DisableUrlSessionFilter </filter-name> <filter-class> com.abc.web.filter.DisableUrlSessionFilter </filter-class></filter><filter-mapping> <filter-name>DisableUrlSessionFilter</filter-name> <url-pattern>/*</url-pattern></filter-mapping>1 楼 murener 2011-12-30 那session不是丢失了吗? 2 楼 twovs 昨天 他根本就没试验过,只是照抄而已,urljsessionid