Thanks chris!!!! I think I know what to do now......thanks!! =) -----Original Message----- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 9:53 PM To: Tomcat Users List Subject: Re: Implementing a Login procedure, but avoiding cookies/session
Anson, If cookies are disabled, Tomcat uses URL rewriting to store the session ID. When you encode URLs you need to to use special methods to support this feature. These methods are defined in HttpServletResponse and are: String encodeURL(String url) String encodeRedirectURL(String url) So, instead of calling: response.sendRedirect(url); you should call: response.sendRedirect(response.encodeRedirectURL(url)); If the session ID is stored in a cookie, this call is a NOOP. Does this make sense? By the way, you may have noticed that some web sites have a mysterious ";jsessionid=BASE64-encoded-gobbledygook" added to the URLs when you browse them (try www.postoffice.co.uk for an example). This is URL-rewriting in action. Importantly, the jsessionid value is opaque. Unless you'd managed to spy on another user's session, there is no useful change you could make to this value to enhance your privileges on the web site. The session IDs are long, random, unique strings used (presumably) as the key to a hashtable. Of course, there's nothing to stop you implementing a similar scheme yourself, but there's no need. Hope this is useful. Chris. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]