> IMHO, passing the session identifier to something that is not > a URL into the same webapp is a security vulnerability. > Struts should never do this > -- although applications may (of course) implement their own > schemes for establishing shared state, and such techniques > may or may not be based on the servlet API's session id.
I wish I could remember the exact context in which this was used - but I do recall it was a requirement at the time. Possibly a Transact limitation. We're going back a year or two though. I agree after more thought, however, that it would not be the responsibility of Struts to implement this (after all, a response.redirect() would achieve the same thing). --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.401 / Virus Database: 226 - Release Date: 09/10/2002 -- To unsubscribe, e-mail: <mailto:struts-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-dev-help@;jakarta.apache.org>
