Do I need a filter to remove session ids as a user of Pretty faces?

Splash Forums PrettyFaces Users Do I need a filter to remove session ids as a user of Pretty faces?

This topic contains 7 replies, has 3 voices, and was last updated by  balteo 6 years, 1 month ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #18017

    balteo
    Participant

    Hello,

    As a former user of restfaces, I required a servlet filter in order to remove session IDs appended to my URLs. It was implemented as follows:

    **********************************************

    package com.jeanbaptistemartin.util;

    import java.io.IOException;

    import javax.servlet.Filter;

    import javax.servlet.FilterChain;

    import javax.servlet.FilterConfig;

    import javax.servlet.ServletException;

    import javax.servlet.ServletRequest;

    import javax.servlet.ServletResponse;

    import javax.servlet.http.HttpServletRequest;

    import javax.servlet.http.HttpServletResponse;

    import javax.servlet.http.HttpServletResponseWrapper;

    import javax.servlet.http.HttpSession;

    /**

    * Servlet filter which disables URL-encoded session identifiers.

    */

    @SuppressWarnings(“deprecation”)

    public class DisableUrlSessionFilter implements Filter {

    /**

    * Filters requests to disable URL-based session identifiers.

    */

    @Override

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

    // skip non-http requests

    if (!(request instanceof HttpServletRequest)) {

    chain.doFilter(request, response);

    return;

    }

    HttpServletRequest httpRequest = (HttpServletRequest) request;

    HttpServletResponse httpResponse = (HttpServletResponse) response;

    // clear session if session id in URL

    if (httpRequest.isRequestedSessionIdFromURL()) {

    HttpSession session = httpRequest.getSession();

    if (session != null) {

    session.invalidate();

    }

    }

    // wrap response to remove URL encoding

    HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) {

    @Override

    public String encodeRedirectUrl(String url) {

    return url;

    }

    @Override

    public String encodeRedirectURL(String url) {

    return url;

    }

    @Override

    public String encodeUrl(String url) {

    return url;

    }

    @Override

    public String encodeURL(String url) {

    return url;

    }

    };

    // process next request in chain

    chain.doFilter(request, wrappedResponse);

    }

    /**

    * Unused.

    */

    @Override

    public void init(FilterConfig config) throws ServletException {

    }

    /**

    * Unused.

    */

    @Override

    public void destroy() {

    }

    }

    **********************************************

    Now that I use PrettyFaces + JSF 2, do I still require this servlet filter in order to avoid these ugly session IDs in my URLs?

    Regards,

    Julien.

    #21295

    Add to your web.xml:

    <session-config>

    <session-timeout>30</session-timeout>

    <tracking-mode>COOKIE</tracking-mode>

    </session-config>

    #21296

    balteo
    Participant

    Thanks Sebastian!

    I was not aware of this EE6 feature…

    Regards,

    Julien.

    #21297

    balteo
    Participant

    Sébastian,

    One last question: are you positive Google won’t index URLs with JSESSIONIDs now that I have added the tracking-mode as advised?

    This is actually my main concern…

    Regards,

    Julien.

    #21298

    By specifying the session tracking-mode in web.xml, your application will *only* use the selected methods. If you don’t specify “URL” tracking, then it won’t use it. At least that’s how I understand it.

    #21299

    You could also do this using:

    http://ocpsoft.com/support/topic/url-rewrite-removing-the-jsessionid-from-the-url

    (this rule..)

    <rewrite match="(?i)^(.*);jsessionid=w+(.*)" substitute="$1$2" redirect="301"/>

    #21300

    balteo I had the same problem with google and appended jsessionid. The web.xml param fixed that. After some days all links will be replaced without jsessionid.

    #21301

    balteo
    Participant

    Thanks to both of you!

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

Comments are closed.