Jacques Le Roux created OFBIZ-6872:
--------------------------------------
Summary: Remove all sessionsIds put in URLs
Key: OFBIZ-6872
URL: https://issues.apache.org/jira/browse/OFBIZ-6872
Project: OFBiz
Issue Type: Sub-task
Components: framework
Affects Versions: Trunk
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Fix For: Upcoming Branch
We should always use sessionIds in cookies and newer have sessionsIds in URLs.
So I will remove all sessionsIds in URLs. There are 2 cases:
# the part related to spiders in RequestHandler
# HtmlFormRenderer.appendExternalLoginKey() (there is also an
appendExternalLoginKey method in MacroFormRenderer class but it's not used OOTB)
There are also many cases where we show the sessionId in logs (using
UtilHttp.getSessionId()) I wonder if we should not keep those commented out or
change the debug info level. Also HttpSessionEvent.getSession().getId() is
directly used in some places for the same purpose (log)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
