tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Hamilton" <>
Subject RE: Is there a better way to disable JSESSIONID in the URLs?
Date Thu, 19 Aug 2010 12:32:54 GMT
Sorry to pull the thread back to my original problem, but I have one
more question here.

So far it looks like there's no way to prevent JSESSIONIDs from being
injected into URLs that Tomcat might encode unless you implement a
servlet filter to override that behavior.

My follow-up question is this: given the increasing emphasis on security
(and acknowledging that there's as much fear-mongering as there is
legitimate threats involved in that business and both cost money and
time regardless of the legitimacy of the issue), does it make sense to
for Tomcat, and maybe even the servlet spec, to provide the option for
the servlet container to disable this functionality at the container
level, e.g. with a container configuration switch somewhere?
The information contained in this e-mail message is intended only for the personal 
and confidential use of the recipient(s) named above. This message is privileged 
and confidential. If the reader of this message is not the intended recipient or an
agent responsible for delivering it to the intended recipient, you are hereby notified 
that you have received this document in error and that any review, dissemination, 
distribution, or copying of this message is strictly prohibited.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message