See my remarks below:
> -----Ursprüngliche Nachricht-----
> Von: Blake Binkley [mailto:[EMAIL PROTECTED]]
> Gesendet: Dienstag, 9. Januar 2001 07:17
> An: [EMAIL PROTECTED]
> Betreff: automated URL rewriting
<snip/>
> My Questions:
>
> is there no setting in server.xml that we can set to have all
> anchors and
> form actions ending in .jsp rewritten?
Even if it is possible to automagically encode the url's,
I wouldn't do it.
You would have to parse your output after it is generated
and before you really send it to the requesting client.
The parsing has to be quite flexible to recognise links
to external site and links that don't go back to the
server.
Links to external sites shouldn't include the session id.
(That would open the door to steal the session).
There are several ways to code URL's in a way that it
is hard to say which site will be the target. Just two
examples:
1:
<base href="some.server.domain"><a href="/some/image.gif"></a>
2:
<script>
someServer = 'someServer';
someFunction() {
return someServer + '/some/image.gif';
}
</script>
<a href="javasript:someFunction()">
You have to prevent the encoding on any link like
<a href="javasript:history.go(-2)>
So this leads to quite some effort in development (or
organisation, if you try to come around this by enforcing
apropriate policies four your web developers) and
performance penalties. And I bet: you will never be shure
if there isn't a whole anywhere.>
> perhaps to add an extra level of security can we not encrypt
> the jsessionId
> with the value of Remote_IP so that it invalidates on a bad
> decryption?
This would be very unfriendly to everybody who is
connected to the web with dynamic IP adresses
(E.g.: connection through a Call by Call Provider).
Depending on the setting you can get several different IP
adresses during one session.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
