+1! It's a bad from the security POV.
2013/11/15 Vincent Massol <[email protected]> > On Fri, Nov 15, 2013 at 9:58 AM, Marius Dumitru Florea < > [email protected]> wrote: > > > +1 > > > > Isn't there a servlet container configuration to disable jsessionid? > > > > Yes there is but we don't control that, the user would need to setup his > container and you can be sure he'll forget to do it, thus causing lots of > bugs/issues on the XWiki side ;) > > Thanks > -Vincent > > > > > > Thanks, > > Marius > > > > On Fri, Nov 15, 2013 at 10:48 AM, Vincent Massol <[email protected]> > > wrote: > > > Hi devs, > > > > > > Right now we're trying to support clients (browsers namely) that have > > > cookies turned off. > > > > > > I've recently updated code to try to support that but I've found that: > > > > > > 1) It's very hard and we still have lot of places in our code that > > doesn't > > > work without cookies > > > 2) It adds ;jsessionid in the URL and this is causing havoc in tons of > > > unsuspecting place such as RSS feed generation (RSS readers get > different > > > URLs every time thus thinking it's a different article, exports, > > > watchlist, tests, etc). > > > 3) It's a security risk to expse the sessionid in the URL > > > 4) It's bad for SEO since search bots may index several times the same > > > resource with different sessionid (it's a new one every time) > > > 5) There are lots of cases where we don't need to track sessions (like > > for > > > RSS feed generation or HTML exports) > > > > > > I started fixing all failing places because of the ;jsessionid in the > URL > > > but more keep coming and it feels strange to have to remove it a bit > > > everywhere when we're adding it in our URL factory. > > > > > > Thus I'd like to propose that we officially don't support tracking > > sessions > > > in URLs (i.e. when browsers have cookies turned off). > > > > > > The idea is that I'd still call encodeURL in our XWikiURLFactory > > > implementations (we need this if we want to support URL rewriting for > > short > > > URLs for example) but XWikiURLFactory would strip any jsessionid from > the > > > URL. > > > > > > WDYT? > > > > > > Here's my +1 > > > > > > Thanks > > > -Vincent > > > _______________________________________________ > > > devs mailing list > > > [email protected] > > > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
