Geoff Soutter wrote:
> Thanks for the explanation Craig.
>
> >> What I want to know is, given an input URL A, what must the format of A
> be
> >> in order to trigger the session encoding?
>
> >The simple version of the rule is this: the only URLs that should be
> encoded
> >(assuming the servlet engine has decided it is necessary) are those that
> >(after being expanded into an absolute URL) point back at THIS host. In
> >addition, if you are in a version 2.1+ servlet engine environment, and the
> >servlet context your servlet resides in is mapped to a URI prefix, then
> only
> >URLs that go back to this host, and resolve to the same prefix, should be
> >encoded.
>
> How about situations where there are multiple virtual hosts and only one
> servlet engine. Or where you are doing redirecting in the web server as well
> (eg mod_rewrite in Apache). Surely the above rule would restrict the
> flexibility of the call?
>
You have to start from the definitions in the servlet API specification
(reading this is always a good idea :-):
* Sessions do not cross ServletContext boundaries (even within
the same virtual host).
* ServletContexts do not cross virtual host boundaries.
Therefore, a session ID from one servlet context is not relevant to any other
servlet context in the same virtual host, or to any servlet context in any
other virtual host. The design rule I quoted above is consistent with these
restrictions.
If you encode a URL and send it elsewhere, you are at best sending nonsense
(even if the servlet engine at the new site is the same software, it won't
recognize this ID as a valid session); at worst you are creating a possible
security hazard if the servlet at the new host is malicious and turns around to
your original host, attempting to impersonate a real user by sending back the
session ID that you shared. The latter scenario is pretty much on par with
sharing the PIN number on your ATM card.
> Cheers,
>
> Geoff
>
Craig
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
