This topic comes up on the list very frequently, you ask ten developers
this question you may even get eleven opinions. Your answer is it
depends on your use case and security requirements (for example: I may
not care, in a shopping cart application, if I write a product id in the
URL, but I may care about exposing a primary key for a user record in
the URL)... these are subject to your implementation.
I suggest you do a little more reading and understand the history of
cookies and URL rewriting, which may help you to understand why/why
not/when to use them, because this is a highly subjective area, and when
do developers agree about technology anyway! Personally though, I am
prepared to sacrifice some compatibility in favour of security... on the
other hand I also detest the over paranoid.
Peter
mfs wrote:
Guys,
I would want to know the downsides to using cookie-less sessions ? I want to
give my client the freedom to disable cookies on the browser if he chooses
to, but i would want to know the implications to that ?
Some say, exposing your sessionId in the url exposes it to hackers who can
spoof the IP (as of the victim) and provide the jsessionId (in the url) and
can gain control of the victim's session, but if u are using ssl, that
shouldnt be an issue.
Would someone comment on the real hazards/bottlenecks to the cookie-less
approach.
Thanks in advance and Regards,
Farhan.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
