> From: Scott Hamilton [mailto:scott.hamil...@plateau.com] > Subject: RE: Is there a better way to disable JSESSIONID in the URLs? > > I could be missing something, but on a request where a session is > created it appears as though Tomcat will both set the cookie AND > do any necessary URL rewriting in order to ensure that the cookie > is preserved.
Sorry, you're right; at that point Tomcat doesn't know if the client supports cookies. However, when skimming through the Tomcat code, the only internal call to encodeURL() that I can find appears to be called only for relative URLs, so possibly making your initial URLs absolute might avoid appending the jsessionid. (But I could have easily missed a call, and there may be another method that's doing the appending.) > The issue in question isn't so much about determined hackers > but hapless users who will bookmark URLs or worse, copy URLs > to email to their co-workers. "Hapless" being the operative word. I think you're stuck with using a filter. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
