Exposing session information in the URL is a growing security risk (from place 7 in 2007 to place 2 in 2013 on the OWASP Top 10 List).
Starting with Spring 3.0, the URL rewriting logic that would append the jsessionid to the URL can now be disabled by setting the disable-url-rewriting=”true” in the <http> namespace.
Alternatively, starting with Servlet 3.0, the session tracking mechanism can also be configured in the web.xml:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
and programmatically:
public class MainWebAppInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext sc) throws ServletException {
// ...
sc.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
}
}
This chooses where to store the JSESSIONID – in the cookie or in a URL parameter.