--
> j> you use the encodeUrl() method, then you are set with regards
> j> to session management since it will attempt to set a cookie
> j> once and if that fails, all your URL's will be re-written to
> j> support the session in the url.
>
> This is not to contradict Jon's answer, but you should be aware that
> url re-writes *can* be a security risk: Other sites can query the
> browser's history list. It's not a big issue, but more than one
> portal has been stung by silly mistakes with this method.
Yes, that is only when the method used was not the POST method. so, if you
care about this issue, don't use encodeUrl() to build the url that is
submitted via the POST method. use a hidden <input> tag to send that data in
that case.
p.s. it is a security hole on the /browser/ side and the known holes have
been fixed in the latest versions of the browsers.
-jon
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
READ THE FAQ!!!! <http://java.apache.org/faq/>
Archives and Other: <http://java.apache.org/main/mail.html/>
Problems?: [EMAIL PROTECTED]
