This web application is configured to support session tracking by cookies and URLs. The session tracking by URL is also known as "URL rewriting" wherein you see the ;jsessionid=id to appear in URLs. This will be triggered automatically when the client has cookies disabled. It's recommended to disable tracking by URL, and explicitly specify a tracking mode by cookie only.


Change the value for tracking-mode in WEB-INF/web.xml to make sure the JSESSIONID is stored in a cookie:



Related Vulnerabilities