Tomcat disable jsessionid on url

July 13, 2012

I had a problem with a Java web app hosted within a Tomcat container. I was posting out to a third party card provider to accept credit card details (this gets around the PCI-DSS issues of handing credit card numbers yourself) and they would then return back to a configured url when the card details had been recorded.

In my particular circumstance, Tomcat was not using a cookie for holding the session id, it was rewriting the url to include a jsessionid. This would normally be fine, but as the return url from the card processor didn't have this session id, my session was lost on return to my site.

Tomcat's documentation says that you can disable this use of url rewriting by adding a disableURLRewriting to your tomcat context:

<Context disableURLRewriting="true">

This didn't work for me. It failed because I was testing the site using http, not https and tomcat was configured with secure="true" on the tomcat Connector. This forced the cookie to be written as a secure cookie, and it could not be read from http.

Setting secure="false" fixed things for development - in production they'll be using https so it will be fine.