(Sorry for the encoded message spam. This is the original message.)
Hi,
because URL Rewriting is not very secure (seeĀ
https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management),
I tried to completely disable it, but without success.
I understand and accept that clients not supporting Cookies won't be able to
use my site.
I use jetty 9.0.5 and configure everything through a ServletContextListener.
This is the relevant Code:
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
As I understand it, this should disable URL Rewriting, but on the first
POST-request using a session, the redirect url is rewritten to include the
jsessionid parameter.
I also tried:
servletContext.setInitParameter("org.eclipse.jetty.servlet.SessionIdPathParameterName","none");
but to no avail.
Right now I use a servlet filter to circumvent this behaviour.
My question is: Is this the expected behaviour? If yes, is there a more elegant
standard way to only use cookies for session tracking?
I did not check the behaviour of tomcat, maybe that's worth investigating?
Thank you very much in advance :)_______________________________________________
jetty-users mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/jetty-users
