Or, you could write a filter that checks request.isRequestedSessionIdFromURL()
and invalidates the session if it is. btw, if there is a cookie set, that
overrides anything provided in the url.
eric
This is what I ended up doing. Thanks.
the jsessionid in the new url. They
then bookmark the page (session id included) and end
up reusing it. It is possible (though unlikely) to
have two users conflict on a single session id this
way, so I eliminate the possibility entirely.
-marc
--- Chetan Sabnis [EMAIL PROTECTED] wrote:
Is there a way