JonTom Kittredge wrote:
> "Craig R. McClanahan" wrote:
>
> > If you do not code your pages for URL rewriting, and the user turns off
> > cookie processing in their browser, they won't be able to utilize
> > sessions within your application. Therefore, you must either code for
> > URL rewriting or require cookies to be enabled in order to use your app.
>
> "Code for URL rewriting"? I thought that session-tracking was handled by the
> servlet engine (as specified by the servlet API) transparently for the programmer:
> if the user has turned cookies turned off, the servlet engine would automatically
> use URL-rewriting "under the covers" to do session tracking. Is that not correct?
> Do I have to do anything special in my code to support URL-rewriting?
>
Yes, you do. If you are generating HTML from servlets, you might have something like
this:
PrintWriter writer = response.getWriter();
...
writer.println("<a href=\"" +
response.encodeURL("/nextpage") +
"\">Next Page</a>");
or, in a JSP page, you might do something like this:
<a href="<%= response.encodeURL("/nextpage") %>">Next Page</a>
to do the appropriate encoding. You need to put the encode wrapping around *every*
hyperlink or form destination URL that points back into your application. You would
not want to encode hyperlinks that point to external sites, because the session ID
that would be encoded won't be recognized as valid there anyway -- and it might allow
an unscrupulous person at that site to attempt to impersonate a currently valid
session. (This is the same reason that cookies should only be sent back to the
hosts/domains that created them).
The servlet engine can deal with session maintenance automatically *only* if cookies
are used. The reason for this is that the engine does *not* scan your output page
looking for hyperlinks that need to be encoded (and you don't want it to -- that would
slow down page processing enormously). It relies on you to call
HttpServletResponse.encodeURL() as necessary.
By the way, if you are using sendRedirect(), you need to call encodeRedirectURL() on
those links instead of encodeURL() -- the rules for when encoding is actually done are
slightly different.
>
> Yours, JonTom
>
> JT Kittredge
> ITA Software
> Cambridge, Massachusetts
Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
