[ https://issues.apache.org/jira/browse/OFBIZ-6872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-6872. ---------------------------------- Resolution: Done > Remove all sessionsIds put in URLs > ---------------------------------- > > Key: OFBIZ-6872 > URL: https://issues.apache.org/jira/browse/OFBIZ-6872 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: Upcoming Branch > > > We should always use sessionIds in cookies and newer have sessionsIds in > URLs. So I will remove all sessionsIds in URLs. There are 2 cases: > # the part related to spiders in RequestHandler > # HtmlFormRenderer.appendExternalLoginKey() (there is also an > appendExternalLoginKey method in MacroFormRenderer class but it's not used > OOTB) > There are also many cases where we show the sessionId in logs (using > UtilHttp.getSessionId()) I wonder if we should not keep those commented out > or change the debug info level. Also HttpSessionEvent.getSession().getId() is > directly used in some places for the same purpose (log) -- This message was sent by Atlassian JIRA (v6.3.4#6332)