[
https://issues.apache.org/jira/browse/OFBIZ-6872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15131141#comment-15131141
]
Jacques Le Roux commented on OFBIZ-6872:
----------------------------------------
Done at at revision: 1728375
Before closing I will ask on dev ML about this point I put in the description
of this issue:
{quote}
There are also many cases where we show the sessionId in logs (using
UtilHttp.getSessionId()) I wonder if we should not keep those commented out or
change the debug info level. Also HttpSessionEvent.getSession().getId() is
directly used in some places for the same purpose (log)
{quote}
> Remove all sessionsIds put in URLs
> ----------------------------------
>
> Key: OFBIZ-6872
> URL: https://issues.apache.org/jira/browse/OFBIZ-6872
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
>
> We should always use sessionIds in cookies and newer have sessionsIds in
> URLs. So I will remove all sessionsIds in URLs. There are 2 cases:
> # the part related to spiders in RequestHandler
> # HtmlFormRenderer.appendExternalLoginKey() (there is also an
> appendExternalLoginKey method in MacroFormRenderer class but it's not used
> OOTB)
> There are also many cases where we show the sessionId in logs (using
> UtilHttp.getSessionId()) I wonder if we should not keep those commented out
> or change the debug info level. Also HttpSessionEvent.getSession().getId() is
> directly used in some places for the same purpose (log)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
