On Fri, 18 Oct 2002, Cliff Rowley wrote:
> > While I think about it, it may also be desirable in some situations to > keep the session information, even when redirecting to another scheme. > IMHO, passing the session identifier to something that is not a URL into the same webapp is a security vulnerability. Struts should never do this -- although applications may (of course) implement their own schemes for establishing shared state, and such techniques may or may not be based on the servlet API's session id. Craig -- To unsubscribe, e-mail: <mailto:struts-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-dev-help@;jakarta.apache.org>
