The first request in a session will always result in a rewritten URL *and* a cookie being returned to the browser. That's because the servlet container does not yet know if the browser has cookies enabled, so it returns both. On the second request, the container will see the cookie, if cookies are enabled, and stop rewriting URLs. If the container didn't get the cookie back, then it will continue to rewrite the URLs.
See section 7.1 of the Servlet spec for more on this. -- Martin Cooper ----- Original Message ----- From: "John Yu" <[EMAIL PROTECTED]> To: "Struts Developers List" <[EMAIL PROTECTED]> Sent: Sunday, January 06, 2002 7:37 PM Subject: Re: Forced URL rewriting > At 10:15 am 04-01-2002 -0800, you wrote: > > > Recently, we had a project using Struts with Weblogic. Weblogic has an > > > option in its proprietary weblogic.xml descriptor to turn off URL rewrite. > > > We tried it and it worked. No more 'jsessionid' appeared on the URL. > > > > > > (We tried this because our client was worried that the app users would try > > > to cut and paste the session id from one PC to another and compromise the > > > security...) > > > > > > >IMHO, this is an entirely insufficient argument for turning off URL > >rewriting. You've got equivalent security issues with cookies -- the only > >difference is you cannot see them visibly. > > > Well, making it invisible does help a bit. "Security by Obscurity!" :-) > > Btw, there's something I'm not too sure. I suppose if cookie is enabled, > URL rewrite will not happen. However, on Weblogic, with cookie on, it > always does URL rewrite after the first login Action. (But the rest pages > are ok.) That's why we turn off URL rewrite with cookie turned on. > > > -- > John Yu Scioworks Technologies > e: [EMAIL PROTECTED] w: +(65) 873 5989 > w: http://www.scioworks.com m: +(65) 9782 9610 > > Scioworks Camino - "Rapid WebApp Assembly for Struts" > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
