How to disable Disable jsessionid
The cookie named JSESSIONID appears to be used to track session state. If so, it also appears to be vulnerable to session fixation. When the URL was supplied, the response set the cookie to the same value provided in the URL. It does not appear to be possible to set the cookie to arbitrary values. This means that the attacker must first identify a valid session ID before fixating the victim on it. One form of session fixation is when an arbitrary session ID can be set from an HTTP query parameter. If an attacker can get the user to execute the query (perhaps by clicking on a link), the session can be easily hijacked since |