Great, Mark, I'll add this as a bug and take it on.
- Jim > Jim Manico wrote: > >> URL Rewriting is consider to be a significant security risk (session >> ID's get exposed in browser history, bookmarks, proxy servers and other >> server-side application logs). >> >> I would like to propose that we create a patch for Tomcat that allows >> URL Rewriting to be completely disabled via configuration. Since this is >> a bit off the 2.5 spec, I think we might want to keep this turned on by >> default, with an option to disable. >> >> Several other Servlet 2.5 containers have implemented this idea some way. >> >> Anyone think this is a reasonable patch? >> > Makes sense to me. > > >> How difficult do you think this will be, it so? >> > I haven't looked in great detail but it looks like a trivial change to > o.a.c.connector.Response.toEncoded() would do the trick. Configuration > should probably be on the context to be consistent with the cookies > parameter. > > Mark > > >> Best Regards, >> Jim Manico >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
