tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sjoerd van Leent" <>
Subject RE: form-based login / cookies disabled / JSPs in WEB-INF
Date Sun, 28 Sep 2003 17:49:35 GMT
Jose, Adam

It's not the best solution, but it should be possible to not set the
SESSIONID in a cookie, but in (a) hidden form field(s). Remember when you do
this, that you need a very strong security encryption. It requires that you
overload the SESSIONID get function, which I think must be possible,
although I didn't try it.


-----Original Message-----
From: Jose Alfonso Martinez [] 
Sent: zondag 28 september 2003 18:10
To: Tomcat Users List


I am in the same issue as you and haven't come out with any workaround

However, in my site, the login form could be an html because I don't need to
maintain a session until the user has logged-in.

Do you really need to maintain a session, even when the user is just
browsing static html files (before logging in)???  If the answer is no, then
you could have an html login form.


On Sun, Sep 28, 2003 at 05:10:52PM +0200, Adam Hardy wrote:
> I think I have a problem.
> I want form-based container-managed authentication on my app.
> I also want to allow cookies to be disabled.
> And I want to keep my JSPs under WEB-INF for security.
> It seems I cannot have these 3 combined, because disabling cookies means 
> I have to do URL rewriting in the login form action URL, therefore my 
> login form has to be a JSP and cannot be just plain .html .
> But while I do not want any JSPs outside of WEB-INF, I can't configure 
> my login form to be in WEB-INF.
> Is this true, or is there a work-around?
> Thanks
> Adam
> -- 
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message