This topic comes up on the list very frequently, you ask ten developers
this question you may even get eleven opinions. Your answer is it
depends on your use case and security requirements (for example: I may
not care, in a shopping cart application, if I write a product id in the
URL, but I
The man in the middle attack you describe below is one possible
issue. However it's easy to capture cookies and provide those in an
attack. An effective hacker is going to be able to look exactly like
the client on an unencrypted connection. URL encoded sessonIds can
cause headaches if you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Farhan,
mfs wrote:
| I would want to know the downsides to using cookie-less sessions ? I
want to
| give my client the freedom to disable cookies on the browser if he chooses
| to, but i would want to know the implications to that ?
On Thu, 2008-04-17 at 09:38 -0400, Christopher Schultz wrote:
The only runtime bottleneck is the time required to add
;jsessionid=123456789 to your outgoing URLs, which is to say pretty
much nothing. The engineering bottleneck is that you have to run all
your URLs through
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert,
Robert Koberg wrote:
| On Thu, 2008-04-17 at 09:38 -0400, Christopher Schultz wrote:
| The only runtime bottleneck is the time required to add
| ;jsessionid=123456789 to your outgoing URLs, which is to say pretty
| much nothing. The
this message in context:
http://www.nabble.com/Cookie-less-session-tracking---whats-are-the-downsides-tp16738472p16738472.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users