Avoid jsessionid in URLs when indexed by GoogleBot #46
Comments
ghost
assigned 
|
Google crawler User-Agent specification: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943 |
|
Fixed and added to 2.0.12-SNAPSHOT |
rwinch
pushed a commit
to rwinch/thymeleaf
that referenced
this issue
Dec 4, 2021
rwinch
pushed a commit
to rwinch/thymeleaf
that referenced
this issue
Dec 4, 2021
thymeleaf#46 Add MapAccessor to ThymeleafEvaluationContext
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thymeleaf currently adds the "jsessionid" fragment to any context-relative or server-relative URLs when a user session is active in the server (
request.getSession(false)is not null).Although most public sites will not be creating sessions for non-authenticated users (and thymeleaf allows this), it might happen that some sites do, and therefore
;jsessionid=xxxxxfragments would be added to the Google index, which is a security risk.A purpose-specific fix for this would be checking, when adding the
;jsessionidpart, that the "User-Agent" header does not includeGoogleBot.Note that this could be nevertheless a problem for session-creating public websites, because Google (which is cookie-less) could be creating a new session for every page it indexes.
The text was updated successfully, but these errors were encountered: