Jose, Adam It's not the best solution, but it should be possible to not set the SESSIONID in a cookie, but in (a) hidden form field(s). Remember when you do this, that you need a very strong security encryption. It requires that you overload the SESSIONID get function, which I think must be possible, although I didn't try it.
Sjoerd -----Original Message----- From: Jose Alfonso Martinez [mailto:[EMAIL PROTECTED] Sent: zondag 28 september 2003 18:10 To: Tomcat Users List Adam, I am in the same issue as you and haven't come out with any workaround yet... However, in my site, the login form could be an html because I don't need to maintain a session until the user has logged-in. Do you really need to maintain a session, even when the user is just browsing static html files (before logging in)??? If the answer is no, then you could have an html login form. Jose On Sun, Sep 28, 2003 at 05:10:52PM +0200, Adam Hardy wrote: > I think I have a problem. > > I want form-based container-managed authentication on my app. > > I also want to allow cookies to be disabled. > > And I want to keep my JSPs under WEB-INF for security. > > It seems I cannot have these 3 combined, because disabling cookies means > I have to do URL rewriting in the login form action URL, therefore my > login form has to be a JSP and cannot be just plain .html . > > But while I do not want any JSPs outside of WEB-INF, I can't configure > my login form to be in WEB-INF. > > Is this true, or is there a work-around? > > Thanks > Adam > > > -- > struts 1.1 + tomcat 4.1.27 + java 1.4.2 > Linux 2.4.20 RH9 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]