> In my case it looks like I do have encode all URLs: firewall problem > with stripping out sessionId left me with no choice ;) Is it right > way of doing it?
ACK! There's a firewall that's stripping out session ids from URLs but will let cookies through? There's a security no-brainer in charge... <smile> Or maybe it's just an Microsoft bigot in control, though "security no-brainer" may still apply... (Sorry -- sort of -- for my poor taste in jokes.) I can't answer about "right way" since firewalls that block standard web access will tend to cause standard web applications to no longer work. That's like blocking port 80 and 443 and then saying that is it "right" to make your web site work on port 8080. It's the firewall that's messed up, not your application. Unfortunately, you may have to work with it regardless of the poor decision of the firewall owner. Certainly, if you want, you can use the redirect scheme to detect if the cookie is there. In fact, you can even just check if the session can be maintained through the redirects since Tomcat will fall back to cookies if it can for its session id. And in the end, if your session works either way, then you don't have to force people to use session cookies. But people who want to use ANY authenticated web application will have to allow session cookeis or URL session ids because it's the way web applications handle state management. Good luck! David --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
