Geoff Soutter wrote:
> Thanks for the input Nic and Andy.
>
> I think I'd better try and explain myself again ... my last attempt was a
> 30sec job cos my girlfriend was waiting downstairs in the car to pick me up
> :-)
>
> I fully understand _how_ the method is supposed to work and when you would
> use it. I agree that you can leave the actual method of encoding to the
> servlet engine.
>
> What I want to know is, given an input URL A, what must the format of A be
> in order to trigger the session encoding?
>
> For example, should a URL that points to different host be session encoded
> or not?
>
> Cheers
>
> Geoff
>
The simple version of the rule is this: the only URLs that should be encoded
(assuming the servlet engine has decided it is necessary) are those that
(after being expanded into an absolute URL) point back at THIS host. In
addition, if you are in a version 2.1+ servlet engine environment, and the
servlet context your servlet resides in is mapped to a URI prefix, then only
URLs that go back to this host, and resolve to the same prefix, should be
encoded.
To expand on that latter point a little, assume that you have two web-based
applications -- a purchasing system and a store -- hosted on the same server.
You set up a servlet context for each app, attached to a convenient
prefix (say, "/purchasing" and "/store"). Now, the following rules apply to
what should be encoded when:
Servlets (and JSP pages) in the purchasing application should only
encode URLs that refer back to this host, and have a request URI
that starts with "/purchasing".
Servlets (and JSP pages) in the store application should only encode
URLs that refer back to this host, and have a request URI that starts
with "/store".
The reason for the restriction is that sessions are actually unique to a
servlet context, not just to a virtual host. You cannot access session
information created in one context from any other context anyway (it would be
a nasty security risk if you could), so there's no point in doing the encode
unless you know that the user is coming back in to the same context.
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
