Putting the session ID in the URL (which is I think what you are
asking about) is a fairly severe security risk. Cloning the session
becomes trivial if the URL is obtained.
I know that in certain locales (Germany, for example), it is believed
that cookies represent an invasion of privacy. But, perversely,
banning cookies actually decreases the overall level security for
webapps because the session ID is now exposed in the URL. For this
reason, the practice of adding session IDs to webapp URLs has always
been discouraged by best-practice organizations such as OWASP.
Janne's comment from 2006, I expect, still holds. We would encourage
anyone who wishes to eliminate cookies -- in spite of best-practice
advice from the security community -- to write their own patches. But
it is extremely unlikely that JSPWiki will ever incorporate a "no
cookie" (URL rewriting) feature.
Andrew
On Jun 18, 2008, at 10:20 AM, Simon Kitching wrote:
Hi,
This email from 2006 says that "url rewriting" (ie having sessions
without cookies) is not supported by JSPWiki. Is this still true for
later releases?
http://www.nabble.com/URL-Rewriting-to6040752.html#a6042004
Thanks,
Simon
