First of all, you shouldn't really bother. The servlet container should decide on the mechanism. (on some servers it's possible to specify that one of the mechanisms shouldn't be used.) The default mechanism is temporary cookies. If for some reason the browser doesn't accept cookies, the servlet container might switch to URL rewriting to keep the sessions. URL rewriting works, but there are a lot of drawbacks. That's why you should only use it when cookies are not possible. Now, why is it bad: - It provides ugly URL's. At first you might say that this is not that important, but in a lot of cases it is really annoying. e.g. You can't save a certain page in your bookmarks because it also saves the session info. If you try to go to the bookmark, it says the session is expired. Very annoying. You cannot simply pass a URL to someone else (e.g. in an email) .... - For the developer, it's error-prone and requires maintenance. All links on all pages that stay within the same site, should be URLencoded. If a developer simply forgets this on a single place, sessions are dropped. With several browsers open, this might lead to users bein logged in twice in different sessions, which might be very confusing. It also means that all your pages should be dynamic. You cannot mix with simple plain HTML because these pages would contain links that don't keep the session alive. - And now the most important one: Although lot's of people are paranoid when it concerns cookies, URL rewriting is far more insecure than cookies!!!! Because the session ID is located inside the URL it is much easier for other people to break into a session than with cookies. The session ID is not only readable in the IP packets when requesting a page, but also: in the apache log files, and in the HTTP_REFERER field of the requests to a next page!!!! This means that your session ID is plainly visible to other servers. Now that's very insecure IMO. I know what I'm talking about, I've done it more than once ;-)
Geert Van Damme > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference > [mailto:[EMAIL PROTECTED]]On Behalf Of Philip M. Meier > Sent: zaterdag 5 januari 2002 13:59 > To: [EMAIL PROTECTED] > Subject: Re: Sessions and URL-Rewriting? > > > Hello Geert! > > There's no special reason, but I thought, that url-rewriting is better > until! Why is it better? Is there a method or whatever to tell the > session-object to use url-rewriting and no cookies? > > Greetings, > > Philip > > > > Why? > > Cookies are better than URL Rewriting. > > > > Geert Van Damme > > > > > > > I'd like to make use of the session-object, but I don't want the > > > session-object to use cookies, but instead to use URL-rewriting! > > > Is there a > > > method or whatever to > > > tell the session-object to use url-rewriting and no cookies? > > > > > > Thanks in advance, > > > > > > Philip > > > > > ================================================================== > ========= > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
