+1, if you block cookies you may expect 99% of sites to be broken anyway, far better to break those not using cookie than to got issues with our features.
On Fri, Nov 15, 2013 at 10:30 AM, Guillaume "Louis-Marie" Delhumeau < [email protected]> wrote: > +1! It's a bad from the security POV. > > > 2013/11/15 Vincent Massol <[email protected]> > > > On Fri, Nov 15, 2013 at 9:58 AM, Marius Dumitru Florea < > > [email protected]> wrote: > > > > > +1 > > > > > > Isn't there a servlet container configuration to disable jsessionid? > > > > > > > Yes there is but we don't control that, the user would need to setup his > > container and you can be sure he'll forget to do it, thus causing lots of > > bugs/issues on the XWiki side ;) > > > > Thanks > > -Vincent > > > > > > > > > > Thanks, > > > Marius > > > > > > On Fri, Nov 15, 2013 at 10:48 AM, Vincent Massol <[email protected]> > > > wrote: > > > > Hi devs, > > > > > > > > Right now we're trying to support clients (browsers namely) that have > > > > cookies turned off. > > > > > > > > I've recently updated code to try to support that but I've found > that: > > > > > > > > 1) It's very hard and we still have lot of places in our code that > > > doesn't > > > > work without cookies > > > > 2) It adds ;jsessionid in the URL and this is causing havoc in tons > of > > > > unsuspecting place such as RSS feed generation (RSS readers get > > different > > > > URLs every time thus thinking it's a different article, exports, > > > > watchlist, tests, etc). > > > > 3) It's a security risk to expse the sessionid in the URL > > > > 4) It's bad for SEO since search bots may index several times the > same > > > > resource with different sessionid (it's a new one every time) > > > > 5) There are lots of cases where we don't need to track sessions > (like > > > for > > > > RSS feed generation or HTML exports) > > > > > > > > I started fixing all failing places because of the ;jsessionid in the > > URL > > > > but more keep coming and it feels strange to have to remove it a bit > > > > everywhere when we're adding it in our URL factory. > > > > > > > > Thus I'd like to propose that we officially don't support tracking > > > sessions > > > > in URLs (i.e. when browsers have cookies turned off). > > > > > > > > The idea is that I'd still call encodeURL in our XWikiURLFactory > > > > implementations (we need this if we want to support URL rewriting for > > > short > > > > URLs for example) but XWikiURLFactory would strip any jsessionid from > > the > > > > URL. > > > > > > > > WDYT? > > > > > > > > Here's my +1 > > > > > > > > Thanks > > > > -Vincent > > > > _______________________________________________ > > > > devs mailing list > > > > [email protected] > > > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > > > devs mailing list > > > [email protected] > > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > -- Denis Gervalle SOFTEC sa - CEO _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
