Thanks a ton ! It works. Regards,
Gautam S -----Original Message----- From: news [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Barker Sent: Friday, October 04, 2002 11:15 AM To: [EMAIL PROTECTED] Subject: Re: JSession ID in address bar Assuming that you are using "best practices", the jsessionid can't be snooped on an SSL connection. However, on the first access to the protected page, Tomcat has no idea if your browser supports Cookies or not. The only safe access after authentication is to do URLEncoding. To remove this, you need to provide a welcome servlet to your web-app that isn't password protected, and that requests a session. After this, Tomcat will get it's Cookie and be happy. "gautam" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > I am using form based authentication for my application (Tomcat 4.0.5, JDK > 1.4, Win2K). I have tomcat configured to use SSL. Everything work fine. > However, I keep getting the jsessionid value in the address bar. This > happens for the first page only. Does not appear for subsequent pages > (regardless of authetication result). I am using IE 6.0. > > https://localhost:8553/mywebapp/logon.jsp;jsessionid=E752F79F89D3423A1BEBB4D > 4F2802D60 > > I am accessing the web app by : https://localhost:8553/mywebapp/ > > Web XML snippet : > ------------------ > <welcome-file-list><welcome-file>/jsp/index.jsp</welcome-file></welcome-file > -list> > > <security-constraint> > <web-resource-collection> > <web-resource-name>Secure Area</web-resource-name> > <url-pattern>*.jsp</url-pattern> > <url-pattern>*.ma</url-pattern> > </web-resource-collection> > <auth-constraint><role-name>*</role-name></auth-constraint> > > <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee > ></user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/logon.jsp</form-login-page> > <form-error-page>/fail_logon.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role><role-name>*</role-name></security-role> > > Logon.jsp snippet : > ------------------ > <form method="POST" action='<%= response.encodeURL("j_security_check") %>'> > > <table border="1" cellspacing="0" width="250" cellpadding="0" > bgcolor="#FFF8DC"><tr><td colspan="2"> </td></tr> > <tr><td width="50%" valign="middle" align="right"><font > color="#000000"><b>User Id:</b></font> </td><td width="50%" > valign="middle" align="center"><p> > > <input type="text" name="j_username" size="16" maxlength="16"> > > </p></td></tr><tr><td width="50%" valign="middle" align="right"><b><font > color="#000000">Password:</font></b> </td><td width="50%" valign="middle" > align="center"> > > <input type="password" name="j_password" size="16" maxlength="16"> > > </td></tr><tr><td width="50%" valign="middle" align="right"> </td><td > width="50%" valign="middle" align="center"> > > <input type=submit name="logon_submit" value="Login"/> > > </td></tr></table> > > </form> > > fail_logon.jsp snippet : > --------------------- > <table width="100%"> > <tr><td align="left">Unable to login. <a href='<%= > response.encodeURL("logon.jsp") %>'>Please try again.</a></td></tr> > </table> > > My index.jsp page just has normal HREFs in it. No Java code. > > What is happening ? How do I correct this ? > > Regards, > > Gautam S -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
