This is part of the container, and part of the spec.
You can control security by putting information into your httpsession, or creating your own cookie.
In short, I would not rely upon the presence of jsessionid to do authorization.
At 12:55 PM 11/5/2002 +0100, you wrote:
Hi all, I have defined several security constraints on my servlet context and I would like to maintain the jsessionid that the login page receives on the login error page in case of authentification fail. Is this possible on Tomcat 3.3.1? If so, do you know if it is also possible in any JBoss version?Thanks in advance, Jose Andres -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
-- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
