On 26.08.2010 23:29, Wesley Acheson wrote:
On Sat, Aug 21, 2010 at 12:12 PM, Pidp...@pidster.com wrote:
On 20/08/2010 22:40, Wesley Acheson wrote:
I'm a bit lost with this thread. Are people suggesting I should submit a
patch. I really wouldn't know where to begin looking.
That's where the
On Sat, Aug 21, 2010 at 12:12 PM, Pid p...@pidster.com wrote:
On 20/08/2010 22:40, Wesley Acheson wrote:
I'm a bit lost with this thread. Are people suggesting I should submit a
patch. I really wouldn't know where to begin looking.
That's where the discussion was heading.
Tomcat is Open
https://issues.apache.org/bugzilla/show_bug.cgi?id=49811
On Sun, Aug 22, 2010 at 5:55 PM, Mark Thomas ma...@apache.org wrote:
On 22/08/2010 16:29, Wesley Acheson wrote:
Sorry for bring this off list. I'll put it back on list if you think that
appropriate.
You think that the context is the
Awesome dude (that you submitted the patch so quick - I've not looked at
it in detail yet). Thanks!
-Original Message-
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Monday, August 23, 2010 2:33 PM
To: Tomcat Users List
Subject: Re: Is there a better way to disable
!
-Original Message-
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Monday, August 23, 2010 2:33 PM
To: Tomcat Users List
Subject: Re: Is there a better way to disable JSESSIONID in the URLs?
https://issues.apache.org/bugzilla/show_bug.cgi?id=49811
On Sun, Aug 22, 2010 at 5:55 PM
Sorry for bring this off list. I'll put it back on list if you think that
appropriate.
You think that the context is the correct place to put this? I thought maybe
web.xml but I don't know if you can extend that or if its rigidly covered by
the spec.
I started to do this on the connector is that
On 22/08/2010 16:29, Wesley Acheson wrote:
Sorry for bring this off list. I'll put it back on list if you think that
appropriate.
You think that the context is the correct place to put this? I thought maybe
web.xml but I don't know if you can extend that or if its rigidly covered by
the
On Sun, Aug 22, 2010 at 5:55 PM, Mark Thomas ma...@apache.org wrote:
On 22/08/2010 16:29, Wesley Acheson wrote:
Sorry for bring this off list. I'll put it back on list if you think that
appropriate.
You think that the context is the correct place to put this? I thought
maybe
web.xml
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Subject: Re: Is there a better way to disable JSESSIONID in the URLs?
I wan't actually going to do it but I think the specs should
allow vendor extensions to web.xml.
That would be a really bad idea, and pretty much kill off any chance
On 20/08/2010 22:40, Wesley Acheson wrote:
I'm a bit lost with this thread. Are people suggesting I should submit a
patch. I really wouldn't know where to begin looking.
That's where the discussion was heading.
Tomcat is Open Source. The first place to look would be SVN.
On 19/08/2010 20:41, Wesley Acheson wrote:
On Thu, Aug 19, 2010 at 6:25 PM, Len Popp len.p...@gmail.com wrote:
On Thu, Aug 19, 2010 at 12:01, Christopher Schultz
ch...@christopherschultz.net wrote:
The servlet specification mandates this behavior. Tomcat simply must
support it. The spec
On 20/08/2010 14:33, Pid wrote:
On 19/08/2010 20:41, Wesley Acheson wrote:
Is there anywhere we could vote for such a feature? I know Resin has it as
I've stated before.
You could file an enhancement request in Bugzilla, but it would be more
likely to get attention if it came with a patch.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pid,
On 8/20/2010 8:33 AM, Pid wrote:
On 19/08/2010 20:41, Wesley Acheson wrote:
On Thu, Aug 19, 2010 at 6:25 PM, Len Popp len.p...@gmail.com wrote:
On Thu, Aug 19, 2010 at 12:01, Christopher Schultz
ch...@christopherschultz.net wrote:
The
On 20/08/2010 17:35, Christopher Schultz wrote:
Pid,
On 8/20/2010 8:33 AM, Pid wrote:
On 19/08/2010 20:41, Wesley Acheson wrote:
On Thu, Aug 19, 2010 at 6:25 PM, Len Popp len.p...@gmail.com wrote:
On Thu, Aug 19, 2010 at 12:01, Christopher Schultz
ch...@christopherschultz.net wrote:
The
I'm a bit lost with this thread. Are people suggesting I should submit a
patch. I really wouldn't know where to begin looking.
On Fri, Aug 20, 2010 at 7:47 PM, Pid p...@pidster.com wrote:
On 20/08/2010 17:35, Christopher Schultz wrote:
Pid,
On 8/20/2010 8:33 AM, Pid wrote:
On
I was going to write this off list because its off topic, but maybe
the information is useful.
On Thu, Aug 19, 2010 at 5:19 AM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/17/2010 6:05 PM, Wesley Acheson wrote:
I know
Sorry to pull the thread back to my original problem, but I have one
more question here.
So far it looks like there's no way to prevent JSESSIONIDs from being
injected into URLs that Tomcat might encode unless you implement a
servlet filter to override that behavior.
My follow-up question is
On 19/08/2010 13:32, Scott Hamilton wrote:
Sorry to pull the thread back to my original problem, but I have one
more question here.
So far it looks like there's no way to prevent JSESSIONIDs from being
injected into URLs that Tomcat might encode unless you implement a
servlet filter to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/19/2010 3:57 AM, Wesley Acheson wrote:
We disabled both accepting of URL sessionId's and the session encoding
URLs. Our application has worked well since with no problems. In fact
better as we can cache certain pages in their entirity
On Thu, Aug 19, 2010 at 12:01, Christopher Schultz
ch...@christopherschultz.net wrote:
The servlet specification mandates this behavior. Tomcat simply must
support it. The spec says nothing of configurability, so Tomcat does not
provide any. Hence the need to write a filter to achieve your
On Thu, Aug 19, 2010 at 6:25 PM, Len Popp len.p...@gmail.com wrote:
On Thu, Aug 19, 2010 at 12:01, Christopher Schultz
ch...@christopherschultz.net wrote:
The servlet specification mandates this behavior. Tomcat simply must
support it. The spec says nothing of configurability, so Tomcat
Caldarale, Charles R wrote:
From: Scott Hamilton [mailto:scott.hamil...@plateau.com]
Subject: RE: Is there a better way to disable JSESSIONID in the URLs?
I could be missing something, but on a request where a session is
created it appears as though Tomcat will both set the cookie AND
do any
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/17/2010 6:05 PM, Wesley Acheson wrote:
I know of no better way to fix this. This is what we *had* to do to
pass PCI too so its no small deal.
Wow, who made you disable jsessionids in URLs to achieve PCI compliance?
Whoever did that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
Wow. I wrote a book. Sorry for my uncharacteristically long exposition.
On 8/18/2010 5:40 AM, André Warnier wrote:
Could/should not Tomcat at least verify, when it gets a JSESSIONID from
a client and retrieves the corresponding session
Using Tomcat 6.0.29, but I think this is version-independent (correct me
if I'm wrong), at least for the 6.0.x versions.
From what I understand (see
http://randomcoder.com/articles/jsessionid-considered-harmful for
instance - I also scanned various aspects of the tomcat source code)
there is
On Wed, Aug 18, 2010 at 12:01 AM, Scott Hamilton
scott.hamil...@plateau.com wrote:
Using Tomcat 6.0.29, but I think this is version-independent (correct me
if I'm wrong), at least for the 6.0.x versions.
From what I understand (see
From: Scott Hamilton [mailto:scott.hamil...@plateau.com]
Subject: Is there a better way to disable JSESSIONID in the URLs?
there is no way to disable tomcat from putting the JSESSIONID in URLs
automatically with a nice friendly global switch/property.
Tomcat won't put the jsessionid
.
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Tuesday, August 17, 2010 6:16 PM
To: Tomcat Users List
Subject: RE: Is there a better way to disable JSESSIONID in the URLs?
From: Scott Hamilton [mailto:scott.hamil...@plateau.com]
Subject
On 2010-08-17, at 18:15, Caldarale, Charles R chuck.caldar...@unisys.com
wrote:
Tomcat won't put the jsessionid in the URL unless cookies are
disabled. If they are, then your webapp could refuse to talk to the
client.
That's not true. Tomcat doesn't know if cookies are available until
From: Scott Hamilton [mailto:scott.hamil...@plateau.com]
Subject: RE: Is there a better way to disable JSESSIONID in the URLs?
I could be missing something, but on a request where a session is
created it appears as though Tomcat will both set the cookie AND
do any necessary URL rewriting
30 matches
Mail list logo
