DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24455>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24455 allow to override 'cookies="false"' on a per session basis. Summary: allow to override 'cookies="false"' on a per session basis. Product: Struts Version: 1.0 Final Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: Other Component: Controller AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] In my web-application I want to cater to as privacy-sensitive users one can imagine. Unfortunately, most browsers do not allow to have their built-in cookie filters distinguish between session cookies (relatively innocuous) and lasting cookies that can be quite harmful for privacy. As a consequence, in my server.xml, I set as a site-wide policy <Context path=... cookies="false" Such that no cookie acceptance prompt ever will be triggered. This rewriting (URL Encoding) of jsessionid, however opens other risks such as session hijacking if a user inadvertently discloses a full URL and an attacker exploits it before session timeout (one solution to all of this would hopefully be in the future http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22649). Therefore, I would like those users who want to avoid these risks or who do have a cookie filter that can distinguish between the two cookie classes to switch back to cookie based session management on a per-user/session basis. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
