Anson,
If cookies are disabled, Tomcat uses URL rewriting to store the session ID.
When you encode URLs you need to to use special methods to support this
feature. These methods are defined in HttpServletResponse and are:
String encodeURL(String url)
String encodeRedirectURL(String url)
So, instead of calling:
response.sendRedirect(url);
you should call:
response.sendRedirect(response.encodeRedirectURL(url));
If the session ID is stored in a cookie, this call is a NOOP.
Does this make sense? By the way, you may have noticed that some web sites
have a mysterious ";jsessionid=BASE64-encoded-gobbledygook" added to the
URLs when you browse them (try www.postoffice.co.uk for an example). This
is URL-rewriting in action. Importantly, the jsessionid value is opaque.
Unless you'd managed to spy on another user's session, there is no useful
change you could make to this value to enhance your privileges on the web
site. The session IDs are long, random, unique strings used (presumably) as
the key to a hashtable.
Of course, there's nothing to stop you implementing a similar scheme
yourself, but there's no need.
Hope this is useful.
Chris.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
