Or, you could write a filter that checks request.isRequestedSessionIdFromURL() and invalidates the session if it is. btw, if there is a cookie set, that overrides anything provided in the url.eric
This is what I ended up doing. Thanks. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]