[jira] [Commented] (OFBIZ-4645) creates links without jsessionid for users who have cookies disabled

Jacques Le Roux (JIRA) Sat, 12 Dec 2015 21:05:03 -0800

    [ 
https://issues.apache.org/jira/browse/OFBIZ-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15054786#comment-15054786
 ]


Jacques Le Roux commented on OFBIZ-4645:
----------------------------------------

Also a very interesting complement for those who doubt 
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

> <link> creates links without jsessionid for users who have cookies disabled
> ---------------------------------------------------------------------------
>
>                 Key: OFBIZ-4645
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4645
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Christoph Neuroth
>
> HtmlMenuRenderer.renderLink uses WidgetWorker.buildHyperlinkUrl to construct 
> the URL. Other parts of OfBIZ use RequestHandler.makeLink. The latter will 
> include the jsessionid as a parameter in the generated URL if neccessary 
> (i.e. cookies are not available), but the former does not. Because of this, 
> all links that are rendered using the <link> tag in an XML Form definition 
> will send the user back to the login page.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (OFBIZ-4645) creates links without jsessionid for users who have cookies disabled

Reply via email to