tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Stavrinides <>
Subject Re: Cookie-less session tracking - whats are the downsides
Date Wed, 23 Apr 2008 15:28:56 GMT
This topic comes up on the list very frequently, you ask ten developers 
this question you may even get eleven opinions. Your answer is it 
depends on your use case and security requirements (for example: I may 
not care, in a shopping cart application, if I write a product id in the 
URL, but I may care about exposing a primary key for a user record in 
the URL)... these are subject to your implementation.

I suggest you do a little more reading and understand the history of 
cookies and URL rewriting, which may help you to understand why/why 
not/when to use them, because this is a highly subjective area, and when 
do developers agree about technology anyway! Personally though, I am 
prepared to sacrifice some compatibility in favour of security... on the 
other hand I also detest the over paranoid.


mfs wrote:
> Guys,
> I would want to know the downsides to using cookie-less sessions ? I want to
> give my client the freedom to disable cookies on the browser if he chooses
> to, but i would want to know the implications to that ?
> Some say, exposing your sessionId in the url exposes it to hackers who can
> spoof the IP (as of the victim) and provide the jsessionId (in the url) and
> can gain control of the victim's session, but if u are using ssl, that
> shouldnt be an issue.
> Would someone comment on the real hazards/bottlenecks to the cookie-less
> approach.
> Thanks in advance and Regards,
> Farhan.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message