tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <>
Subject URL Rewriting
Date Sun, 28 Dec 2008 22:57:26 GMT
URL Rewriting is consider to be a significant security risk (session
ID's get exposed in browser history, bookmarks, proxy servers and other
server-side application logs).

I would like to propose that we create a patch for Tomcat that allows
URL Rewriting to be completely disabled via configuration. Since this is
a bit off the 2.5 spec, I think we might want to keep this turned on by
default, with an option to disable.

Several other Servlet 2.5 containers have implemented this idea some way.

Anyone think this is a reasonable patch? How difficult do you think this
will be, it so?

Best Regards,
Jim Manico

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message