Nimbostratus
CirrocumulusI see you have already found a solution using an iRule as your comment in this post?:
https://devcentral.f5.com/questions/hide-jsession-id-61022
Knowledgebase article K7513 talks about hiding jsessionid in URL from ASM to prevent ASM from treating each user session as a unique URL.
you really need to change this in your backend server's JBOSS config.xml and make sure tracking-mode is set to COOKIE:
true
true
COOKIE
if you cannot change the JBOSS config for some reason you need to add http-only and Secure attributes to your JSESSIONID cookie.
So basically there are only 2 ways how jsessionid=xxx can get into your browser:
1) the server sends it to the client(browser) in a Redirect response - you can remove it using an iRule
2) the application on the client-side (Javascript) extracts the JSESSIONID from a cookie and generates a request appending jsessionid to the URL - you can stop this by making sure the JSESSIONID cookie is HTTP-Only, so it will no longer be accessible from JavaScript.