Sorry to pull the thread back to my original problem, but I have one more question here.
So far it looks like there's no way to prevent JSESSIONIDs from being injected into URLs that Tomcat might encode unless you implement a servlet filter to override that behavior. My follow-up question is this: given the increasing emphasis on security (and acknowledging that there's as much fear-mongering as there is legitimate threats involved in that business and both cost money and time regardless of the legitimacy of the issue), does it make sense to for Tomcat, and maybe even the servlet spec, to provide the option for the servlet container to disable this functionality at the container level, e.g. with a container configuration switch somewhere? . The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
