tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject Re: URL Rewriting
Date Mon, 29 Dec 2008 04:13:37 GMT
Great, Mark,

I'll add this as a bug and take it on. 

- Jim
> Jim Manico wrote:
>   
>> URL Rewriting is consider to be a significant security risk (session
>> ID's get exposed in browser history, bookmarks, proxy servers and other
>> server-side application logs).
>>
>> I would like to propose that we create a patch for Tomcat that allows
>> URL Rewriting to be completely disabled via configuration. Since this is
>> a bit off the 2.5 spec, I think we might want to keep this turned on by
>> default, with an option to disable.
>>
>> Several other Servlet 2.5 containers have implemented this idea some way.
>>
>> Anyone think this is a reasonable patch?
>>     
> Makes sense to me.
>
>   
>> How difficult do you think this will be, it so?
>>     
> I haven't looked in great detail but it looks like a trivial change to
> o.a.c.connector.Response.toEncoded() would do the trick. Configuration
> should probably be on the context to be consistent with the cookies
> parameter.
>
> Mark
>
>   
>> Best Regards,
>> Jim Manico
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>     
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>   


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message