Spring Boot:从网址中删除jsessionid [英] Spring Boot: remove jsessionid from url

问题描述

如何从网址中删除jsessionid?

How can I remove the jsessionid from my urls?

我正在使用Spring Boot MVC(没有Spring Security；嵌入了tomcat).

I'm using Spring Boot MVC (without Spring Security; tomcat embedded).

我已经读到，可以通过将disableUrlRewriting设置为"true"来完成. 但这看起来像一个Spring Security解决方案，我不使用(这是一个没有登录的简单项目；只有页面；存在会话控制器，并且必须是会话控制器).

I've read that It could be done by setting the disableUrlRewriting to "true". But this looks like a Spring Security solution, which I don't use (it's a simple project without login; just pages; a session-controller exists and has to be a session-controller).

我问这个问题是因为GoogleBot正在创建包含ID的网址.

I'm asking this because GoogleBot is creating urls containing the id.

我使用以下描述的解决方案解决了该问题: https://randomcoder.org/articles/jsessionid-considered-有害

I solved it with the solution described at: https://randomcoder.org/articles/jsessionid-considered-harmful

推荐答案

我创建了一个快速且肮脏的spring-boot应用程序，这是我想出的.

I created a quick-and-dirty spring-boot app and here's what I came up with.

生成的ServletInitializer，您可以通过以下方式对其进行更改:

The ServletInitializer that is generated, you can alter it in this fashion:

package com.division6.bootr;

import java.util.Collections;

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;

import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.web.SpringBootServletInitializer;

public class ServletInitializer extends SpringBootServletInitializer {

    @Override
    public void onStartup(ServletContext servletContext) throws ServletException {
        // This can be done here or as the last step in the method
        // Doing it in this order will initialize the Spring
        // Framework first, doing it as last step will initialize
        // the Spring Framework after the Servlet configuration is 
        // established
        super.onStartup(servletContext);

        // This will set to use COOKIE only
        servletContext
            .setSessionTrackingModes(
                Collections.singleton(SessionTrackingMode.COOKIE)
        );
        // This will prevent any JS on the page from accessing the
        // cookie - it will only be used/accessed by the HTTP transport
        // mechanism in use
        SessionCookieConfig sessionCookieConfig=
                servletContext.getSessionCookieConfig();
        sessionCookieConfig.setHttpOnly(true);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(SpringBootrApplication.class);
    }

}

作者注

我不确定100％何时引入，但是通过引入以下参数，无需编写代码就可以实现相同的目的

I am not 100% sure when this was introduced but by introducing the following parameters, the same can be accomplished without having to write code:

• server.servlet.session.cookie.http-only = true
• server.servlet.session.tracking-modes = cookie

这篇关于Spring Boot:从网址中删除jsessionid的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！