Thanks chris!!!! I think I know what to do now......thanks!! =)
-----Original Message-----
From: Christopher Williams [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 09, 2003 9:53 PM
To: Tomcat Users List
Subject: Re: Implementing a Login procedure, but avoiding
cookies/session
Anson,
If cookies are disabled, Tomcat uses URL rewriting to store the session
ID. When you encode URLs you need to to use special methods to support
this feature. These methods are defined in HttpServletResponse and are:
String encodeURL(String url)
String encodeRedirectURL(String url)
So, instead of calling:
response.sendRedirect(url);
you should call:
response.sendRedirect(response.encodeRedirectURL(url));
If the session ID is stored in a cookie, this call is a NOOP.
Does this make sense? By the way, you may have noticed that some web
sites have a mysterious ";jsessionid=BASE64-encoded-gobbledygook" added
to the URLs when you browse them (try www.postoffice.co.uk for an
example). This is URL-rewriting in action. Importantly, the jsessionid
value is opaque. Unless you'd managed to spy on another user's session,
there is no useful change you could make to this value to enhance your
privileges on the web site. The session IDs are long, random, unique
strings used (presumably) as the key to a hashtable.
Of course, there's nothing to stop you implementing a similar scheme
yourself, but there's no need.
Hope this is useful.
Chris.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
