+1 to drop jsessionid use On Fri, Nov 15, 2013 at 9:48 AM, Vincent Massol <[email protected]> wrote: > Hi devs, > > Right now we're trying to support clients (browsers namely) that have > cookies turned off. > > I've recently updated code to try to support that but I've found that: > > 1) It's very hard and we still have lot of places in our code that doesn't > work without cookies > 2) It adds ;jsessionid in the URL and this is causing havoc in tons of > unsuspecting place such as RSS feed generation (RSS readers get different > URLs every time thus thinking it's a different article, exports, > watchlist, tests, etc). > 3) It's a security risk to expse the sessionid in the URL > 4) It's bad for SEO since search bots may index several times the same > resource with different sessionid (it's a new one every time) > 5) There are lots of cases where we don't need to track sessions (like for > RSS feed generation or HTML exports) > > I started fixing all failing places because of the ;jsessionid in the URL > but more keep coming and it feels strange to have to remove it a bit > everywhere when we're adding it in our URL factory. > > Thus I'd like to propose that we officially don't support tracking sessions > in URLs (i.e. when browsers have cookies turned off). > > The idea is that I'd still call encodeURL in our XWikiURLFactory > implementations (we need this if we want to support URL rewriting for short > URLs for example) but XWikiURLFactory would strip any jsessionid from the > URL. > > WDYT? > > Here's my +1 > > Thanks > -Vincent > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs
-- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
