David Wall wrote:
> According to the JSP docs, all URLs need to be passed through
> Response.encodeUrl() if you will use them with sessions that are not
> controlled by cookies. Does this mean that in a JSP, all HREFs and
> FORM targets must be run through encodeUrl()? That seems rather a
> pain to ensure everything's okay, and a good problem. For example,
> what if my JSP sends a person to a regular HTML page? I mean, many
> pages do not really need to be JSPs, especially if they are not
> accessed frequently or there really is not dynamic content. Then, if
> the user leaves that page to go to a JSP page, how will the URL in the
> HTML be setup for passing that session information through to the
> JSP? It seems rather odd somehow... Or perhaps it's better to just
> require cookies if they want session behavior???? David
Yep, if you are not using cookies, then you need things like the
following in your JSP pages:
<a href="<%= response.encodeURL("/the/page.html"> %>">The Page</a>
in order to maintain session state.
Links to static HTML pages will definitely break session continuity, if
there are links from those HTML pages back to your JSP pages or
servlets. A couple of strategies to consider:
* Just rename your *.html pages to *.jsp and put in the
encode logic as above. The pages will be compiled the
first time you access them, like any other JSP page.
* Create JSP pages that use "include" to copy in the
text of the static HTML parts. This works well if the
only session-sensitive links you need are in a navigation
bar or other element that can be done inside the JSP part.
* Use frames, again assuming the static pages don't
have any links back to the app
* Force users to have cookies on. This might be practical
in an intranet setting, or a subscription-based Internet
app, but probably not for general public access Internet apps.
Craig McClanahan
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
