tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Hamilton" <scott.hamil...@plateau.com>
Subject RE: Is there a better way to disable JSESSIONID in the URLs?
Date Tue, 17 Aug 2010 22:33:25 GMT
Thanks for the reply.

> Tomcat won't put the jsessionid in the URL unless cookies are
disabled.  If they are, then your webapp could refuse to talk to the
client.

I could be missing something, but on a request where a session is
created it appears as though Tomcat will both set the cookie AND do any
necessary URL rewriting in order to ensure that the cookie is preserved.
If the session (a) already exists and (b) was received in the request
through a cookie reference it will NOT do the URL rewriting.  I'm
assuming this is to cover the bases and ensure a JSESSIONID gets
injected into the following requests regardless of the client's cookie
acceptance policy.

>>
And the id value in a cookie doesn't?  What stops anyone from e-mailing
the cookie to someone else?

If someone is truly concerned about security, then they *must* run *all*
traffic through SSL.  If the customers don't do that, they're not really
concerned, despite whatever words they're using.
<<

You're absolutely correct, and SSL is used for our security-conscious
customers.  The issue in question isn't so much about determined hackers
but hapless users who will bookmark URLs or worse, copy URLs to email to
their co-workers.

-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com] 
Sent: Tuesday, August 17, 2010 6:16 PM
To: Tomcat Users List
Subject: RE: Is there a better way to disable JSESSIONID in the URLs?

> From: Scott Hamilton [mailto:scott.hamilton@plateau.com]
> Subject: Is there a better way to disable JSESSIONID in the URLs?
> 
> there is no way to disable tomcat from putting the JSESSIONID in URLs
> automatically with a nice friendly global switch/property.

Tomcat won't put the jsessionid in the URL unless cookies are disabled.
If they are, then your webapp could refuse to talk to the client.

> We have an app whose security is a concern for our customers, and
> JSESSIONIDs appearing in the URLs freak them out

And the id value in a cookie doesn't?  What stops anyone from e-mailing
the cookie to someone else?

If someone is truly concerned about security, then they *must* run *all*
traffic through SSL.  If the customers don't do that, they're not really
concerned, despite whatever words they're using.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

.
The information contained in this e-mail message is intended only for the personal 
and confidential use of the recipient(s) named above. This message is privileged 
and confidential. If the reader of this message is not the intended recipient or an
agent responsible for delivering it to the intended recipient, you are hereby notified 
that you have received this document in error and that any review, dissemination, 
distribution, or copying of this message is strictly prohibited.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message