-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken,
Ken Bowen wrote: > But all this leads to the obvious question (which I asked): If I'm not > going to allow jsessionid's to slip out, can I suppress > their creation totally? The "creation" of the id is implicit in the creation the session: the session simply /has/ an id. You're try trying to avoid appending it to the URL in all cases. The filter you referenced should do that. > Now, having said all that, I'm more than open to hearing alternative > ways of dealing the with problem, namely that search > engines penalize you for the presence of jesessionid's. The filter will prevent the session from appearing in URLs. Just note that if a cookie-less spider (that's pretty much all of 'em) hits your website and you use sessions without url rewriting, then every single request from the spider will generate a new session (yikes!). You may want to be careful about even creating sessions when you detect a search spider. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHIibn9CaO5/Lv0PARAqM4AJ9VRThAQdqHp4xaN3E5XRVTccWq1gCgi7nT 0BetvQ/E81m5lzaKDRngjzs= =Ddap -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]