On Jun 19, 2008, at 22:39 , Andrew Jaquith wrote:
Simon --
I've been gently tweaking Janne from time to time about
externalizing the URL constructors in a similar manner to what you
describe, although the use I had in mind wasn't related to session
IDs.
I'm still opposed to the idea
Olaf Kock schrieb:
Simon Kitching schrieb:
By the way, I don't see cookies as a lot more secure. The cookie text is
also sent in plain text in both the request and response bodies. There
aren't many cases where someone can intercept the url but not the
cookies. But thanks for the
Just for the record (in case someone else wants to do this), enabling
url rewriting support seems to be fairly easy. I have:
* added a servlet filter which stores the HttpServletResponse in a
thread-local
* implemented a custom URLConstructor (subclassing
DefaultURLConstructor) which overrides
Simon --
I've been gently tweaking Janne from time to time about externalizing
the URL constructors in a similar manner to what you describe,
although the use I had in mind wasn't related to session IDs.
Something like http://tuckey.org/urlrewrite/ would do nicely, and
would certainly
Hi Andrew,
Many thanks for the quick answer.
Yes I did mean encoding the session id in the url
(http://host/foo.jsp;jsessionid=123?page=Main;).
We want to disable cookies in our dev environment so that we can log
into the same app multiple times from the same browser; this makes
testing some
Simon Kitching schrieb:
By the way, I don't see cookies as a lot more secure. The cookie text is
also sent in plain text in both the request and response bodies. There
aren't many cases where someone can intercept the url but not the
cookies. But thanks for the reference to OWASP; I'll have a
