Ben,
I think we need to change the existing code which does something like: response.sendRedirct(xxxxx) to response.sendRedirect(response.encodeRedirectURL(xxxx))
The existing code is not going to work properly for people who have turned off cookies, or environments (like some Mobile phones) which doesn't support cookies at all.
Without the encodeRedirectURL call, the servlet engine will not add the
';jsessionid=xxxx'
it always needs to add in the initial response before a new session has been created (at that point it doesn't know if cookies are available), and which it also needs to add later in case cookies do in fact turn out to not be available.
I'm too busy right now to do this myself, but wanted to mention it here so we don't forget...
Colin
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
