> From: Scott Hamilton [mailto:[email protected]] > Subject: RE: Is there a better way to disable JSESSIONID in the URLs? > > I could be missing something, but on a request where a session is > created it appears as though Tomcat will both set the cookie AND > do any necessary URL rewriting in order to ensure that the cookie > is preserved.
Sorry, you're right; at that point Tomcat doesn't know if the client supports cookies. However, when skimming through the Tomcat code, the only internal call to encodeURL() that I can find appears to be called only for relative URLs, so possibly making your initial URLs absolute might avoid appending the jsessionid. (But I could have easily missed a call, and there may be another method that's doing the appending.) > The issue in question isn't so much about determined hackers > but hapless users who will bookmark URLs or worse, copy URLs > to email to their co-workers. "Hapless" being the operative word. I think you're stuck with using a filter. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
