Unsafe value for session tracking in WEB-INF/web.xml
Description
This web application is configured to track user sessions using both cookies and URL rewriting. URL-based session tracking appends the session identifier (e.g., ;jsessionid=ABC123) directly to URLs, which automatically activates when cookies are disabled in the client browser. This configuration creates unnecessary security risks, as session identifiers should only be transmitted via secure HTTP cookies with appropriate security flags.
Remediation
Configure the application to use cookie-based session tracking exclusively by modifying the WEB-INF/web.xml deployment descriptor. Add or update the <session-config> element to explicitly set the tracking mode to COOKIE only:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
<!-- Optional: Configure additional cookie security settings -->
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
After making this change, redeploy the application and verify that session IDs no longer appear in URLs. Note that users with cookies disabled will not be able to maintain sessions, but this is an acceptable trade-off for improved security.