Looks like a positive improvement. Have you also tried changing the session-config in web.xml to be cookie-based?
> -----Original Message----- > From: Tom Poage [mailto:[email protected]] > Sent: Friday, June 20, 2014 4:21 PM > To: [email protected] > Subject: [cas-user] JSESSIONID and static content > > A number of CAS .jsp's contain JSTL directives such as: > > > <link rel="stylesheet" href="<c:url value="${customCssFile}" />" /> > > <link rel="icon" href="<c:url value="/favicon.ico" />" > > type="image/x-icon" /> > > When running on Tomcat, the first time a client hits the e.g. CAS login > page, each > piece of static content generated from <c:url> has the jessionid parameter > appended. E.g. > > > <link type="text/css" media="screen" rel="stylesheet" > > href="/cas/themes/.../cas.css;jsessionid=5C54F4AF6C0B3ADB7A4E5FF25D3F6 > > 503" /> <link rel="icon" > > href="/cas/favicon.ico;jsessionid=5C54F4AF6C0B3ADB7A4E5FF25D3F6503" > > type="image/x-icon" /> > > Offhand, I don't see the need to demonstrate an established session to > retrieve > static content. Is there a security-based reason for attaching jsessionid > on this > content? > > I found one alternative that does not attach jsessionid: > > > <link type="text/css" media="screen" rel="stylesheet" > href="${pageContext.request.contextPath}${customCssFile}" /> > > <link rel="icon" > > href="${pageContext.request.contextPath}/favicon.ico" > > type="image/x-icon" /> > > Any danger doing this? Any reason to prefer one over the other? > > I can see putting a variable piece of content onto the URL might prevent > static > content from being cached beyond the session lifetime (if that works when > using > URL parameters). We happen to place e.g. a 10-minute cache timeout on > static > content, so the jsessionid is redundant/superfluous. > > Thanks. > Tom. > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
