tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Is there a better way to disable JSESSIONID in the URLs?
Date Tue, 17 Aug 2010 22:53:29 GMT
> From: Scott Hamilton [mailto:scott.hamilton@plateau.com]
> Subject: RE: Is there a better way to disable JSESSIONID in the URLs?
> 
> I could be missing something, but on a request where a session is
> created it appears as though Tomcat will both set the cookie AND 
> do any necessary URL rewriting in order to ensure that the cookie
> is preserved.

Sorry, you're right; at that point Tomcat doesn't know if the client supports cookies.  However,
when skimming through the Tomcat code, the only internal call to encodeURL() that I can find
appears to be called only for relative URLs, so possibly making your initial URLs absolute
might avoid appending the jsessionid.  (But I could have easily missed a call, and there may
be another method that's doing the appending.)

> The issue in question isn't so much about determined hackers
> but hapless users who will bookmark URLs or worse, copy URLs
> to email to their co-workers.

"Hapless" being the operative word.  I think you're stuck with using a filter.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message