tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nlif <>
Subject Re: No URL rewriting when cookies are disabled
Date Sun, 08 Feb 2009 08:35:17 GMT

Yep, that was it exactly... I've been spoiled by frameworks :)
I did some experimentation myself, and dug a little in framework code, and
indeed, this has been taken care for me in the past, and I assumed it's done
by Tomcat (or any servlet container, for that matter), but it isn't.


Christopher Schultz-2 wrote:
> Hash: SHA1
> André,
> André Warnier wrote:
>> Actually, I was just perusing a page in the Tomcat 6 docs :
>> and it actually says, for the "cookies" attribute :
>> Set to true if you want cookies to be used for session identifier
>> communication if supported by the client (this is the default). Set to
>> false if you want to disable the use of cookies for session identifier
>> communication, and rely only on URL rewriting *by the application*.
> André has the answer right here (though without details).
> In order to get your application to rewrite URLs, you need to pass every
> single outgoing URL through the HttpServletResponse.encodeURL method (or
> HttpServletResponse.encodeRedirectURL if you are using a redirect).
> I've found that this is detail is often overlooked in web applications.
> Most JSP tag libraries and things like that do this transparently, so
> you may not have even been aware that it was a requirement.
> Good luck reviewing all that code ;)
> - -chris
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla -
> +2YAoKYSCgXVEzLMhSFFk309g0OhO8kP
> =SKW6
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message