Firstly, i should say i have already read about those past threads which are concerned with the jsessionid appending in url problem. My experiment proved the conclusion: the first time people visit the site, the application server (tomcat) would append the jsessionid into the url no matter whether your browser has enabled cookie. then if you continue clicking other links on the page ,or if you close the windows in your Firefox and reopen it again, the jsessionid parameters would disappear because the cookie has been set. Now here is my scenario. My program should be integrated with other forums or portal sites. Those sites send their account profiles to my server by HTTP request with encrypted parameters.(but not HTTPS). Meanwhile, my program mount a url (like loginx) for such requests which does some authentication and throws new RestartResponseAtInterceptPageException to Home page if success. Unfortunately, my Home page is constructed with some Frame Pages which means users would NOT get browser url changing when they click links or submit forms in the page. so the origin jsessionid set by tomcat like we mentioned above remains forever.What's the worse, users would get into others account if they could receive the url existing in the browser address bar by some way. That's terrible for my system.
BTW, I'm using mod_proxy of Lighttpd to proxy the dynamic request to the back end Tomcat server which does NOT have any load balance setting or other cluster usage. I've tried several methods which turn out to be useless 1) find out some configuration settings which may force the tomcat use cookie rather than both set the cookie and rewrite the url at the first time. 2) mount another page as a proxy connecting with my loginx page and Home page, use setResponsePage at its constructor method. So my question is : how could I avoid appending jsessionid parameters in the url permanently even at the first time people visit my site? Thanks in advance. Appreciate if any advices.
