tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: CSRF and nonce Config ???
Date Thu, 07 Feb 2013 19:55:40 GMT
2013/2/7 Christopher Schultz <chris@christopherschultz.net>:
> Konstantin,
>
> On 2/7/13 5:19 AM, Konstantin Kolinko wrote:
>> Any other web application that wants to use this feature has to
>> configure this filter explicitly and must pass all important URLs
>> through HttpServletResponse.encodeURL().
>
> Web applications should always pass URLs through
> HttpServletResponse.encodeURL (or
> HttpServletResponse.encodeRedirectURL), whether they are important or
> not ;)

Generally yes, but static resources that do not require authentication
and do not require session, such as images, work better without
jsessionid.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message