Hi:
I am using JBoss 4.0.5. Do you think I should configure it on
JBoss for hiding the jsessionid on the URL?
I have used the following code from this links
http://randomcoder.com/articles/jsessionid-considered-harmful
Unfortunately, I was not able to re-login the app again. Thanks.
-----Original Message-----
From: Scott O'Bryan [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 12, 2007 1:04 PM
To: MyFaces Discussion
Subject: Re: [tobago] Can we hide the session id on the URL?
It's NOT in the web.xml. It's container specific and controls the
behavior of the encodeURL method which is responsible for putting that
information on the url.
Scott
Mike Kienenberger wrote:
> No, I don't remember how to do this off the top of my head. The one
> place I know how to do it (OC4J) is a container-specific web page.
> It might be in the web.xml file as well, though.
> A google search or docs for your container are probably the best place
> to look.
>
> On 4/12/07, Wong, Emmanuel (Sam) <[EMAIL PROTECTED]> wrote:
>> Hi:
>> Do you have an examples file to configure the
>> container/application to store session information in cookies instead
of
>> the url? is it on the web.xml file? Thanks.
>>
>> -----Original Message-----
>> From: Mike Kienenberger [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, April 12, 2007 12:10 PM
>> To: MyFaces Discussion
>> Subject: Re: [tobago] Can we hide the session id on the URL?
>>
>> This is a standard issue with servlet applications.
>> One solution is to track the original ip address in the session, and
>> reject any requests that come from a different ip address.
>> Another solution is to configure your container/application to store
>> session information in cookies instead of the url.
>>
>> On 4/12/07, Wong, Emmanuel (Sam) <[EMAIL PROTECTED]> wrote:
>> >
>> >
>> >
>> > Hi:
>> >
>> > Could we hide the session id on the URL? It seems if I
>> capture the
>> > URL with the session id, I was able to get into the application.
>> Thanks.
>> >
>> > --> Sam Wong
>> >
>> >
>>
>
