Kevin Yeung wrote:
> Hello all,
>
> I'm sorry if this question has been asked and answered before, but I
> couldn't find a satisfactory answer elsewhere.
>
> First, let's assume cookie has been disabled. My understanding is that the
> only way to track session is to use URL rewriting.
>
> My question is, where do I do the response.encodeURL() call?
>
What you want to make sure is that any hyperlink you create in the response page, that
is going to submit
back to (or link to another page in) the same webapp, has been encoded. You do *not*
need to worry about
encoding the arguments to RequestDispatcher.forward() or RequestDispatcher.include()
calls, since they are
all happening on the server, in the context of a single request.
For example, assume your JSP page has a form on it. Your HTML <form> element would
look something like
this:
<form method="POST"
action='<%= response.encodeURL("...URL of the servlet...") %>'>
The primary other place you will need to worry about this is on <a href="..."> tags,
unless they link to
places outside of your application.
> I have one JSP page and one servlet. The JSP submits some data to the
> servlet and the servlet returns something back to the JSP. I tried doing
> the following in my servlet and it didn't work:
>
>
>getServletContext().getRequestDispatcher(response.encodeURL("/myJsp.jsp")).forward(request,
> response);
>
> The call request.getSession(true) at the beginning of the servlet's
> doPost() always returns a new session object.
>
> The next thing I tried was to do the forwarding without the encodeURL().
> In addition, in my JSP, I do the following:
>
> <form action="<%=response.encodeURL("myServlet")%>" method="POST">
>
> And it worked, but I wonder if this is correct. Moreover, it exposes the
> session in the HTML code.
>
Yep, that is correct.
The session id is exposed in the HTML code, but using cookies is not any safer --
anyone who can snoop the
network connection can still see the cookie values going back and forth.
>
> What is your solution? How do you do it? I'm using WebLogic with
> URLRewriting enabled, but I am seeking an app server independent solution
> for my servlet code and JSP.
>
URL rewriting is portable across all servlet containers that conform to the specs.
>
> Thank you very much for your help.
>
> Regards,
> Kevin
>
Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
