For servlet 3.0 environment, set the following in web.xml. Reference: java --Is it possible to disable jsessionid in tomcat Servlet? --Stack Overflow An example of how to do it in earlier versions can be found at the reference link.
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
In case of spring, do as follows. Reference: [java --Set tracking mode to cookie to remove appended session id, without using web.xml --Stack Overflow](https://stackoverflow.com/questions/16262285/set-tracking-mode-to-cookie-to- remove-appended-session-id-without-using-web-xml)
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.SessionTrackingMode;
import org.springframework.web.WebApplicationInitializer;
public class WebMVCApplicationInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext container) throws ServletException {
Set<SessionTrackingMode> s = new HashSet<>();
s.add(SessionTrackingMode.COOKIE);
container.setSessionTrackingModes(s);
}
}
If you are using spring-security-web, you can also use AbstractSecurityWebApplicationInitializer.
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
import java.util.EnumSet;
import java.util.Set;
import javax.servlet.SessionTrackingMode;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class WebSecutityInit extends AbstractSecurityWebApplicationInitializer {
@Override
protected Set<SessionTrackingMode> getSessionTrackingModes() {
return EnumSet.of(SessionTrackingMode.SSL);
}
}