You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thymeleaf currently adds the "jsessionid" fragment to any context-relative or server-relative URLs when a user session is active in the server (request.getSession(false) is not null).
Although most public sites will not be creating sessions for non-authenticated users (and thymeleaf allows this), it might happen that some sites do, and therefore ;jsessionid=xxxxx fragments would be added to the Google index, which is a security risk.
A purpose-specific fix for this would be checking, when adding the ;jsessionid part, that the "User-Agent" header does not include GoogleBot.
Note that this could be nevertheless a problem for session-creating public websites, because Google (which is cookie-less) could be creating a new session for every page it indexes.
The text was updated successfully, but these errors were encountered:
Thymeleaf currently adds the "jsessionid" fragment to any context-relative or server-relative URLs when a user session is active in the server (
request.getSession(false)
is not null).Although most public sites will not be creating sessions for non-authenticated users (and thymeleaf allows this), it might happen that some sites do, and therefore
;jsessionid=xxxxx
fragments would be added to the Google index, which is a security risk.A purpose-specific fix for this would be checking, when adding the
;jsessionid
part, that the "User-Agent" header does not includeGoogleBot
.Note that this could be nevertheless a problem for session-creating public websites, because Google (which is cookie-less) could be creating a new session for every page it indexes.
The text was updated successfully, but these errors were encountered: