A number of CAS .jsp's contain JSTL directives such as:
> <link rel="stylesheet" href="<c:url value="${customCssFile}" />" />
> <link rel="icon" href="<c:url value="/favicon.ico" />" type="image/x-icon"
> />
When running on Tomcat, the first time a client hits the e.g. CAS login
page, each piece of static content generated from <c:url> has the
jessionid parameter appended. E.g.
> <link type="text/css" media="screen" rel="stylesheet"
> href="/cas/themes/.../cas.css;jsessionid=5C54F4AF6C0B3ADB7A4E5FF25D3F6503" />
> <link rel="icon"
> href="/cas/favicon.ico;jsessionid=5C54F4AF6C0B3ADB7A4E5FF25D3F6503"
> type="image/x-icon" />
Offhand, I don't see the need to demonstrate an established session to
retrieve static content. Is there a security-based reason for attaching
jsessionid on this content?
I found one alternative that does not attach jsessionid:
> <link type="text/css" media="screen" rel="stylesheet"
> href="${pageContext.request.contextPath}${customCssFile}" />
> <link rel="icon" href="${pageContext.request.contextPath}/favicon.ico"
> type="image/x-icon" />
Any danger doing this? Any reason to prefer one over the other?
I can see putting a variable piece of content onto the URL might prevent
static content from being cached beyond the session lifetime (if that
works when using URL parameters). We happen to place e.g. a 10-minute
cache timeout on static content, so the jsessionid is redundant/superfluous.
Thanks.
Tom.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
