tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Blake Binkley" <>
Subject automated URL rewriting
Date Tue, 09 Jan 2001 06:17:14 GMT
I have searched all over the place and see alot about "URL rewriting" here
is what I know:

you can use
<A href=<%= response.encodeURL("NewPage.jsp") %> >
to force a single link to encode the session if cookies are turned off

when cookies are turned off and the above method is used it is easy for a
session to be loaned/stolen by  just copying the url and IM (Instant
Messaging) to a friend who also has cookies turned off

the above method of using rewriting is bulky and forces either designers to
learn some jsp code or the programmers  to replace every link on every page
with the above code.

My Questions:

is there no setting in server.xml that we can set to have all anchors and
form actions ending in .jsp rewritten?

perhaps to add an extra level of security can we not encrypt the jsessionId
with the value of Remote_IP so that it invalidates on a bad decryption?

Blake Binkley

View raw message