According to the JSP docs, all URLs need to be passed through
Response.encodeUrl() if you will use them with sessions that are not controlled
by cookies.
Does this mean that in a JSP, all HREFs and FORM targets
must be run through encodeUrl()? That seems rather a pain to ensure
everything's okay, and a good problem.
For example, what if my JSP sends a person to a regular HTML
page? I mean, many pages do not really need to be JSPs, especially if they
are not accessed frequently or there really is not dynamic content. Then,
if the user leaves that page to go to a JSP page, how will the URL in
the HTML be setup for passing that session information through to the
JSP?
It seems rather odd somehow... Or perhaps it's better to
just require cookies if they want session behavior????
David