On 19/08/2010 13:32, Scott Hamilton wrote: > Sorry to pull the thread back to my original problem, but I have one > more question here. > > So far it looks like there's no way to prevent JSESSIONIDs from being > injected into URLs that Tomcat might encode unless you implement a > servlet filter to override that behavior. > > My follow-up question is this: given the increasing emphasis on security > (and acknowledging that there's as much fear-mongering as there is > legitimate threats involved in that business and both cost money and > time regardless of the legitimacy of the issue), does it make sense to > for Tomcat, and maybe even the servlet spec, to provide the option for > the servlet container to disable this functionality at the container > level, e.g. with a container configuration switch somewhere?
You could always submit a patch and see what the devs think. ;) p > The information contained in this e-mail message is intended only for the > personal > and confidential use of the recipient(s) named above. This message is > privileged > and confidential. If the reader of this message is not the intended recipient > or an > agent responsible for delivering it to the intended recipient, you are hereby > notified > that you have received this document in error and that any review, > dissemination, > distribution, or copying of this message is strictly prohibited. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature