Monday, May 6, 2013

JSTL <c:url> and jsessionid Parameter

Here's a brief entry about the jsessionid parameter that appears whenever you use <c:url/> tags in your JSPs. I've seen several questions on how to remove it, and how to disable <c:url/> tags from generating it. After some research, and some quiet time to think about it, the solution is quite simple, and has something to do with JSPs having session defaulting to true.

The solution is to make sessions optional for pages that don't require them. Simply add a JSP directive <% @page session="false" %>.

JSPs, By Default, Create Sessions

Yes, JSPs create sessions, unless you specify otherwise. By default, JSP files get a HttpSession using request.getSession(true) method. So, by default, JSP files create a new session if none existed.

But what does this have to do with <c:url/> generating/adding a jsessionid parameter to the resulting URL?

The <c:url/> tag checks if the request supports cookies. In cases where the request is the first request (with no cookies sent, at least, none yet), the server could not be sure if the request supports cookies. In these cases, the <c:url/> tag implementation adds the jsessionid parameter when the request does not support cookies. This is called URL session tracking.

When will cookies not be supported?

There are a couple of possibilities. One would be when the browser has it disabled. The other would be when a search bot is crawling your web site.

So, it's not the tag's fault. It's doing what it is supposed to do. It also escapes characters to form a valid URL.

Others might think that simply not using the <c:url/> tag would solve the problem. But I think that creates more problems, as your URLs may not have been escaped properly.

Still others have conjured up filters that would remove the session ID from the URL. Please don't. Making sessions optional may be a better option.

JSPs and Template Frameworks like SiteMesh and Tiles

If you're using template frameworks like SiteMesh and Tiles, you're likely to be using JSPs as decorators or templates (for headers, navigation bars, footers, and others). Note that these JSPs may also create a session, unless you explicitly specify it using the page directive. So, be careful. It might be a good practice to keep these template pages with session creation set to false.

URLs and Crawlers

The problem of inadvertently creating session is more apparent when developing web sites that are crawled by bots (like Googlebot). If you happen to see URLs crawled by the search bot having jsessionid parameters, then you should be looking at the pages that should not have created sessions.

Not only are these session parameters ugly, they simply ruin your web site's search engine results page. Who would want to visit your site with a pre-existing jsessionid?


A good practice would be to keep your landing page (usually an index.jsp, or whatever your welcome page is in your web.xml) with a page directive to turn-off session creation. Another page that should not create sessions would be your login page. The session is only required after the user has logged in (not before).

If a user visits your page with an existing session, it will still work. Remember, we're just making session creation optional. We're not making it invalid.

I hope this brief entry can help several Java developers and save some of our precious time.

1 comment:

  1. Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!

    Web Hosting Services