Hi,
Is there any way to enforce a session cookie (JSESSIONID)to be send
to the client (browser) from servlet.
No, because the Servlet Spec says Servlet Container must work even on
clients that don't support cookies (or have cookies turned off, which is
becoming a more and more common use-case).
Is there any way to enforce a session cookie (JSESSIONID)to be send
to the client (browser) from servlet.
No, because the Servlet Spec says Servlet Container must work even on
clients that don't support cookies (or have cookies turned off, which is
becoming a more and more common use-case).
Hi,
Session cookies (those that don't persist) are becoming quite common
actually because even small devices are able to keep that bit of
session
state quite easily.
Ahh yes, small devices. Good point. I based my earlier assertion on
research I read recently showing a (and this is a good
Is it true, that new sessionId will be resend if a new session get
created?
--- Shapira, Yoav [EMAIL PROTECTED] wrote:
Hi,
Session cookies (those that don't persist) are becoming quite
common
actually because even small devices are able to keep that bit of
session
state quite easily.
But that's details, the main point I made still holds, and that's that
the Servlet Spec mandates Tomcat's behavior in this area.
Absolutely, Yoav! I certainly didn't mean to imply anything negative about
your response, only that the original inquiry could be handled/checked by
his application
In my case it looks like I do have encode all URLs: firewall problem
with stripping out sessionId left me with no choice ;) Is it right
way of doing it?
Thanks a lot.
Mark.
--- David Wall [EMAIL PROTECTED] wrote:
But that's details, the main point I made still holds, and that's
that
the
In my case it looks like I do have encode all URLs: firewall problem
with stripping out sessionId left me with no choice ;) Is it right
way of doing it?
ACK! There's a firewall that's stripping out session ids from URLs but will
let cookies through? There's a security no-brainer in charge...