Since you were curious why someone would want to disable URL rewriting, I can tell you why we had to do this.
For our client, it was taken for a given that users would be frequently copying/pasting URLs in emails and IMs to other users. It's not a necessary part of our application, but we all know the vast majority of computer users are basically clueless when it comes to security and simply won't consider the security implications of their actions. If you enable URL rewriting, it makes it possible for someone visiting a URL sent to them in an email/IM to be logged in as the user who was originally passed the URL. Additionally, the users of the application frequently take screenshots when submitting bugs and those screenshots would, in many cases, also include the session id. In our application, where real money is at stake, this kind of risk is unacceptable. I'd go as far as to say that URL rewriting is fundamentally insecure for this reason and should be turned off whenever it's possible that URLs would be exposed in either of these two manners (provided your application requires a decent level of security). Christopher Schultz-2 wrote: > > ... > > I'm not sure why you'd ever want to do this, though. I'd love to hear > your reason for doing it, though. > > ... > -- View this message in context: http://www.nabble.com/Turning-off-jsessionid-tp13430750p14289776.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
