|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.
I don't yet fully understand the issue, but I don't think we ever want the session ID to show up in the URL. It's like invitation for a session hijacking attack.
I don't know if there's any part of servlet spec that mandates such a behaviour, but if Winstone is somehow doing that, we need it to stop doing that. And hopefully that'll solve the problem?