struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Cooper" <martin.coo...@tumbleweed.com>
Subject Re: Forced URL rewriting
Date Mon, 07 Jan 2002 03:52:40 GMT
The first request in a session will always result in a rewritten URL *and* a
cookie being returned to the browser. That's because the servlet container
does not yet know if the browser has cookies enabled, so it returns both. On
the second request, the container will see the cookie, if cookies are
enabled, and stop rewriting URLs. If the container didn't get the cookie
back, then it will continue to rewrite the URLs.

See section 7.1 of the Servlet spec for more on this.

--
Martin Cooper


----- Original Message -----
From: "John Yu" <john@scioworks.com>
To: "Struts Developers List" <struts-dev@jakarta.apache.org>
Sent: Sunday, January 06, 2002 7:37 PM
Subject: Re: Forced URL rewriting


> At 10:15 am 04-01-2002 -0800, you wrote:
> > > Recently, we had a project using Struts with Weblogic. Weblogic has an
> > > option in its proprietary weblogic.xml descriptor to turn off URL
rewrite.
> > > We tried it and it worked. No more 'jsessionid' appeared on the URL.
> > >
> > > (We tried this because our client was worried that the app users would
try
> > > to cut and paste the session id from one PC to another and compromise
the
> > > security...)
> > >
> >
> >IMHO, this is an entirely insufficient argument for turning off URL
> >rewriting.  You've got equivalent security issues with cookies -- the
only
> >difference is you cannot see them visibly.
>
>
> Well, making it invisible does help a bit. "Security by Obscurity!" :-)
>
> Btw, there's something I'm not too sure. I suppose if cookie is enabled,
> URL rewrite will not happen. However, on Weblogic, with cookie on, it
> always does URL rewrite after the first login Action. (But the rest pages
> are ok.) That's why we turn off URL rewrite with cookie turned on.
>
>
> --
> John Yu                       Scioworks Technologies
> e: john@scioworks.com         w: +(65) 873 5989
> w: http://www.scioworks.com   m: +(65) 9782 9610
>
> Scioworks Camino - "Rapid WebApp Assembly for Struts"
>
>
> --
> To unsubscribe, e-mail:
<mailto:struts-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:struts-dev-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:struts-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-dev-help@jakarta.apache.org>


Mime
View raw message