Session ID

GlassFish V2

Normally GlassFish 2 encodes session id to the URL automatically, if the browser does not support cookies. Additional it is possible to set the property enableCookies to never or always append the session id to the URL.

But this property setting can be confusing, because of bug with newly created sessions [1]. And also the property enableURLRewriting is not working as expected.

GlassFish V2.1

GlassFish 2.1 fix this unexpected behaviour and ensures for all cases, that setting enableCookies to true only stores the session id in the cookie or false only encode session id to the URL.

As this version does also not support enableURLRewriting, the automatic handling of the session id is not possible anymore.

So if your application should support all clients, even those which do not accept cookies, you must add the following to the sun-web.xml file [2].

<session-config> <session-properties> <property name="enableCookies" value="false" /> </session-properties> </session-config>

The problem now is that all application URLs contain the session id, which means:

GlassFish V2.1 Patch

If you want to avoid these problems and still run your application with automatically handling of the session id, you can use the unoffical Patch [3] provided by Jan Luehe [4], which backports GlassFish 3 support for enableURLRewriting to the current version.

Just put this jar somewhere in the file system and define the path in the Attribute classpath-prefix of the Tag java-config [5].

GlassFish V2.1.1

The problem does not occur in this version anymore. The automatic handling of the session id works even without patch and without special properties as usal.

GlassFish V3

GlassFish 3 provides better control of session id handling, because it supports enableCookies and enableURLRewriting [6]. As default both are true, so for automatic detection of cookie based or url based session id is no entry in sun-web.xml neccessary.


I prefere the solution of automatic url rewriting, even for SEO applications. The site I-Coding itself is with serveral keys in Googles top 10, even though it uses JSF and Session IDs. Furthermore webmasters or developers can also submit application URLs with an sitemap file to the main search engines.


[1] Issue 3972
[2] /WEB-INF/sun-web.xml
[3] Patch for GlassFish V2.1
[4] Jan Luehe's Blog
[5] /domains/domain1/config/domain.xml
[6] Issue 4394

Johannes Hammoud Session ID 30.01.2009

I Coding : Community about Java programing

Language German+-

Java JSF JavaScript HTML CSS NetBeans GlassFish MySQL