tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: URL Rewriting
Date Sun, 28 Dec 2008 23:24:24 GMT
Jim Manico wrote:
> URL Rewriting is consider to be a significant security risk (session
> ID's get exposed in browser history, bookmarks, proxy servers and other
> server-side application logs).
> I would like to propose that we create a patch for Tomcat that allows
> URL Rewriting to be completely disabled via configuration. Since this is
> a bit off the 2.5 spec, I think we might want to keep this turned on by
> default, with an option to disable.
> Several other Servlet 2.5 containers have implemented this idea some way.
> Anyone think this is a reasonable patch?
Makes sense to me.

> How difficult do you think this will be, it so?
I haven't looked in great detail but it looks like a trivial change to
o.a.c.connector.Response.toEncoded() would do the trick. Configuration
should probably be on the context to be consistent with the cookies


> Best Regards,
> Jim Manico
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message