English English

Secure JSF web application - Hide session id from being displayed

In the default settings the session id will be displayed in the url. If someone sees the session id, then he can login into your login session using the session id which can be seen through e.g. scanning a wifi network (Wireshark).

If you login into your JSF web application, then your URL displayed in your browser should not have a URI like this: www.myapplication.tld/site.xhtml;jsessionid=XXXX

You have to use cookies so that the session is transmitted through POST data and not through GET. This allows it to be encrypted (if you use SSL of course, which is recommended).

1. Go to the folder WEB-INF.
If you use Netbeans, then you can find the folder in the tab projects.

2. Then edit the file web.xml
You have to add this code to use cookies to save the session information. Please add this in the session-config parameter, if it already exists.




Now you have to recompile your application and then we are done.

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.