At 10:15 am 04-01-2002 -0800, you wrote: > > Recently, we had a project using Struts with Weblogic. Weblogic has an > > option in its proprietary weblogic.xml descriptor to turn off URL rewrite. > > We tried it and it worked. No more 'jsessionid' appeared on the URL. > > > > (We tried this because our client was worried that the app users would try > > to cut and paste the session id from one PC to another and compromise the > > security...) > > > >IMHO, this is an entirely insufficient argument for turning off URL >rewriting. You've got equivalent security issues with cookies -- the only >difference is you cannot see them visibly.
Well, making it invisible does help a bit. "Security by Obscurity!" :-) Btw, there's something I'm not too sure. I suppose if cookie is enabled, URL rewrite will not happen. However, on Weblogic, with cookie on, it always does URL rewrite after the first login Action. (But the rest pages are ok.) That's why we turn off URL rewrite with cookie turned on. -- John Yu Scioworks Technologies e: [EMAIL PROTECTED] w: +(65) 873 5989 w: http://www.scioworks.com m: +(65) 9782 9610 Scioworks Camino - "Rapid WebApp Assembly for Struts" -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
