tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: URL Rewriting
Date Sun, 28 Dec 2008 23:24:24 GMT
Jim Manico wrote:
> URL Rewriting is consider to be a significant security risk (session
> ID's get exposed in browser history, bookmarks, proxy servers and other
> server-side application logs).
> 
> I would like to propose that we create a patch for Tomcat that allows
> URL Rewriting to be completely disabled via configuration. Since this is
> a bit off the 2.5 spec, I think we might want to keep this turned on by
> default, with an option to disable.
> 
> Several other Servlet 2.5 containers have implemented this idea some way.
> 
> Anyone think this is a reasonable patch?
Makes sense to me.

> How difficult do you think this will be, it so?
I haven't looked in great detail but it looks like a trivial change to
o.a.c.connector.Response.toEncoded() would do the trick. Configuration
should probably be on the context to be consistent with the cookies
parameter.

Mark

> 
> Best Regards,
> Jim Manico
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message