[
https://issues.apache.org/jira/browse/OFBIZ-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15054232#comment-15054232
]
Jacques Le Roux commented on OFBIZ-4645:
----------------------------------------
This is disputable see my comment at OFBIZ-1690. Long story short, people
should not disable OFBiz cookies and jsessionid is not secure. OK I disable
cookies with tons of plugins in Firefox, but not OFBiz cookies, localhost and
apache.org at least.
If nobody disagree I will close as not a problem but I really wonder if we
should not even disable the feature in RequestHandler.makeLink (boolean
forceManualJsessionid = !cookies) and rather warn users that they should able
OFBiz cookies when using an OFBiz based site.
> <link> creates links without jsessionid for users who have cookies disabled
> ---------------------------------------------------------------------------
>
> Key: OFBIZ-4645
> URL: https://issues.apache.org/jira/browse/OFBIZ-4645
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Christoph Neuroth
>
> HtmlMenuRenderer.renderLink uses WidgetWorker.buildHyperlinkUrl to construct
> the URL. Other parts of OfBIZ use RequestHandler.makeLink. The latter will
> include the jsessionid as a parameter in the generated URL if neccessary
> (i.e. cookies are not available), but the former does not. Because of this,
> all links that are rendered using the <link> tag in an XML Form definition
> will send the user back to the login page.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
