Thanks for the reply. > Tomcat won't put the jsessionid in the URL unless cookies are disabled. If they are, then your webapp could refuse to talk to the client.
I could be missing something, but on a request where a session is created it appears as though Tomcat will both set the cookie AND do any necessary URL rewriting in order to ensure that the cookie is preserved. If the session (a) already exists and (b) was received in the request through a cookie reference it will NOT do the URL rewriting. I'm assuming this is to cover the bases and ensure a JSESSIONID gets injected into the following requests regardless of the client's cookie acceptance policy. >> And the id value in a cookie doesn't? What stops anyone from e-mailing the cookie to someone else? If someone is truly concerned about security, then they *must* run *all* traffic through SSL. If the customers don't do that, they're not really concerned, despite whatever words they're using. << You're absolutely correct, and SSL is used for our security-conscious customers. The issue in question isn't so much about determined hackers but hapless users who will bookmark URLs or worse, copy URLs to email to their co-workers. -----Original Message----- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, August 17, 2010 6:16 PM To: Tomcat Users List Subject: RE: Is there a better way to disable JSESSIONID in the URLs? > From: Scott Hamilton [mailto:scott.hamil...@plateau.com] > Subject: Is there a better way to disable JSESSIONID in the URLs? > > there is no way to disable tomcat from putting the JSESSIONID in URLs > automatically with a nice friendly global switch/property. Tomcat won't put the jsessionid in the URL unless cookies are disabled. If they are, then your webapp could refuse to talk to the client. > We have an app whose security is a concern for our customers, and > JSESSIONIDs appearing in the URLs freak them out And the id value in a cookie doesn't? What stops anyone from e-mailing the cookie to someone else? If someone is truly concerned about security, then they *must* run *all* traffic through SSL. If the customers don't do that, they're not really concerned, despite whatever words they're using. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org . The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org