sjo wrote:

> On Thu, 20 May 1999, you wrote:
>
> >> > If cookies are turned off in the client, the server falls back to using
> >> URLs anyway.
> >>
> >> No :( If I turn coockies off, there is no sessions :(( I use 1.0b4
> >>
> >
> >Are you doing the encodeUrl() calls?  If you're not, there's no way for
> >URL-rewriting-based session management to work.
>
> Of course there is, by simply doing session-management on application
> level (ok, you probably implied JServ-session-management when you said
> session-management). Yes, this means additional work (but only once if done
> properly), so might not be suitable for a lot of people, so this was not just a
> call to avoid JServ's session mechanism :) It's certainly perfectly suitable
> for most applications. I just want to point to more alternatives.
>

You're right, of course.  I should have said "there's no way for
URL-rewriting-based session management provided automatically by the servlet
engine" to work.  This is because calling encodeUrl() is the servlet writer's
responsibility under the contract.  Application level security control is always an
option, and sometimes required to get around limitations of the generic model.

Craig




-- --------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
READ THE FAQ!!!!     <http://java.apache.org/faq/>
Archives and Other:  <http://java.apache.org/main/mail.html/>
Problems?:           [EMAIL PROTECTED]

Reply via email to