Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 20875 invoked from network); 17 Aug 2010 22:02:28 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 17 Aug 2010 22:02:28 -0000 Received: (qmail 75354 invoked by uid 500); 17 Aug 2010 22:02:25 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 75153 invoked by uid 500); 17 Aug 2010 22:02:24 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 75139 invoked by uid 99); 17 Aug 2010 22:02:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Aug 2010 22:02:24 +0000 X-ASF-Spam-Status: No, hits=-0.1 required=10.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of scott.hamilton@plateau.com designates 64.18.3.26 as permitted sender) Received: from [64.18.3.26] (HELO exprod8og113.obsmtp.com) (64.18.3.26) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 17 Aug 2010 22:02:18 +0000 Received: from source ([72.165.82.6]) by exprod8ob113.postini.com ([64.18.7.12]) with SMTP ID DSNKTGsG1d6sHSZt4I/9OZn+f3ZmUnaxtA0H@postini.com; Tue, 17 Aug 2010 15:01:58 PDT X-MimeOLE: Produced By Microsoft Exchange V6.5 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CB3E57.C4D53912" x-cr-hashedpuzzle: AoZt BwPS CrPf EKQu GYbv GlAJ Gr1h HjX7 IRvg Ifh6 JDSZ JQSv JRTo KVls Km2l KvD/;1;dQBzAGUAcgBzAEAAdABvAG0AYwBhAHQALgBhAHAAYQBjAGgAZQAuAG8AcgBnAA==;Sosha1_v1;7;{282288E9-8DF5-4F49-94C2-485CC2BB08E4};cwBjAG8AdAB0AC4AaABhAG0AaQBsAHQAbwBuAEAAcABsAGEAdABlAGEAdQAuAGMAbwBtAA==;Tue, 17 Aug 2010 22:01:38 GMT;SQBzACAAdABoAGUAcgBlACAAYQAgAGIAZQB0AHQAZQByACAAdwBhAHkAIAB0AG8AIABkAGkAcwBhAGIAbABlACAASgBTAEUAUwBTAEkATwBOAEkARAAgAGkAbgAgAHQAaABlACAAVQBSAEwAcwA/AA== x-cr-puzzleid: {282288E9-8DF5-4F49-94C2-485CC2BB08E4} Content-class: urn:content-classes:message Subject: Is there a better way to disable JSESSIONID in the URLs? Date: Tue, 17 Aug 2010 18:01:38 -0400 Message-ID: <7019457A01B07443BFCF2B3CEDA1111102B16EA0@email.plateau.internal> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Is there a better way to disable JSESSIONID in the URLs? Thread-Index: Acs+V8QDRREcbHr0SBGyCfgzLMU1jw== From: "Scott Hamilton" To: ------_=_NextPart_001_01CB3E57.C4D53912 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Using Tomcat 6.0.29, but I think this is version-independent (correct me if I'm wrong), at least for the 6.0.x versions. =20 >From what I understand (see http://randomcoder.com/articles/jsessionid-considered-harmful for instance - I also scanned various aspects of the tomcat source code) there is no way to disable tomcat from putting the JSESSIONID in URLs automatically with a nice friendly global switch/property. The only way I've seen how to do this, as suggested on the site I referenced, is to put into place a servlet filter. =20 I'd like to know if I'm missing anything - is there a better way to do this? =20 We have an app whose security is a concern for our customers, and JSESSIONIDs appearing in the URLs freak them out (especially when they demonstrate that you can get a URL from the app, email it to someone else, and have that person magically bypass authentication and assume the role of the other user - of course as long as the session is still valid). =20 We are comfortable saying that in order to use our application you need to have cookies enabled, so I'm making the assumption that if we disable the feature of putting JSESSIONID into the URLs, either through a nice global switch or else a servlet filter, cookie-based session setting/tracking will still function just as we expect it. =20 Finally, anyone know why this isn't already in the servlet spec? Seems like with more and more concern over web application security that this would be something the spec should address? =20 Thanks, Scott =2E The information contained in this e-mail message is intended only for the= personal = and confidential use of the recipient(s) named above. This message is pri= vileged = and confidential. If the reader of this message is not the intended recip= ient or an agent responsible for delivering it to the intended recipient, you are he= reby notified = that you have received this document in error and that any review, dissem= ination, = distribution, or copying of this message is strictly prohibited. =0D ------_=_NextPart_001_01CB3E57.C4D53912--