It is not possible and it's a quite difficult topic excerpt from a earlier post of mine: Even if it is possible to automagically encode the url's, I wouldn't do it. You would have to parse your output after it is generated and before you really send it to the requesting client. The parsing has to be quite flexible to recognise links to external sites and links that don't go back to the server. Links to external sites shouldn't include the session id. (That would open the door to steal the session). There are several ways to code URL's in a way that it is hard to say which site will be the target. Just two examples: 1: <base href="some.server.domain"><a href="/some/image.gif"></a> 2: <script> someServer = 'someServer'; someFunction() { return someServer + '/some/image.gif'; } </script> <a href="javasript:someFunction()"> You have to prevent the encoding on any link like <a href="javasript:history.go(-2)> So this leads to quite some effort in development (or organisation, if you try to come around this by enforcing apropriate policies for your web developers) and performance penalties. And I bet: you will never be shure if there isn't a whole anywhere. > -----Ursprüngliche Nachricht----- > Von: Martin Lilienthal [mailto:[EMAIL PROTECTED]] > Gesendet: Sonntag, 11. März 2001 16:21 > An: [EMAIL PROTECTED] > Betreff: Automatic URL-Encoding (sessionID) > > > Hi, > > is it possible to configure tomcat, that sessionIDs are automatically > encoded into _every_ URL in JSPs without doing > <%=response.encodeURL("/context/page.jsp")%>? > > > > Thanks in advance > > > Martin Lilienthal > >