cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sonny Sukumar" <>
Subject Re: URLs being encoded WITH cookies enabled
Date Thu, 28 Aug 2003 21:26:00 GMT

Hi all,

Joerg made a good point the other day (below) about always using URL 
rewriting rather than cookies, for security reasons.  I've decided that we 
should do the same, since ours will be an e-commerce site and if somebody is 
using a public computer (like at a university) then closing the browser 
shouldn't leave that person logged in (and hence leave their personal 
account details vulnerable, even if somebody else can't place an order 
without entering a credit card).

I was also wrong in saying that the URLs were being encoded whether or not 
cookies are enabled--they're actually not, as I've verified today.

With all that said, how can I tell Tomcat to always encode the URLs?  It 
says this in the API documentation for method encodeURL() in the interface 

"Encodes the specified URL by including the session ID in it, or, if 
encoding is not needed, returns the URL unchanged. The implementation of 
this method includes the logic to determine whether the session ID needs to 
be encoded in the URL. For example, if the browser supports cookies, or 
session tracking is turned off, URL encoding is unnecessary."

This doc is here: 

Not a Tomcat-specific doc, but the behavior matches what I'm seeing.


>From: Joerg Heinicke <>
>Subject: Re: URLs being encoded WITH cookies enabled
>Date: Tue, 26 Aug 2003 10:16:21 +0200
>Sonny Sukumar wrote:
>>Anyhow, 2 other reasons I'd prefer URL/link rewriting not to occur when 
>>cookies are enabled:
>>1.) It takes up precious time to parse a document and rewrite links.
>IMO this can be ignored. The second reason is much more important.
>We do the link rewriting ourself in a XSLT stylesheet when generating the 
>page. This is especially useful if you need rewritten JavaScript links.
>>2.) If someone closes the browser, the session is gone, whereas a cookie 
>>still remains even after closing the browser and can be used to 
>>re-establish the same session, provided the session is still valid on the 
>This is true and maybe important for you or your user's comfort. As we 
>develope mostly applications related to banking or payment the security 
>issues are more important for us. If anybody leaves his PC for 5 minutes 
>for smoking or coffee nobody else shall simply open the browser and order 
>something with the other one's identity. So we abstain from cookies 
>To unsubscribe, e-mail:
>For additional commands, e-mail:

MSN 8: Get 6 months for $9.95/month.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message