Description

This web application is configured to support session tracking by cookies and URLs. The session tracking by URL is also known as "URL rewriting" wherein you see the ;jsessionid=id to appear in URLs. This will be triggered automatically when the client has cookies disabled. It's recommended to disable tracking by URL, and explicitly specify a tracking mode by cookie only.

Remediation

Change the value for tracking-mode in WEB-INF/web.xml to make sure the JSESSIONID is stored in a cookie:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

References

Related Vulnerabilities