Part of the OWASP recommendations is that we do not allow authentication and session data to be submitted via GET request, this includes the session id. This comes from the OWASP top ten (http://www.owasp.org/documentation/topten/a3.html) under A3.5 under "Browser Caching" and "Session ID Protection".
I can tell jsp's to pass parameters in using a POST request, but if the user passes the parameters in through the url, I need to be able to restrict that. Does anyone know of any way to do this in struts? Also, does anyone know how to force struts to not pass along the session id if cookies are disabled? -- Josh Cronemeyer Information Network of Kansas "I don't understand," said the scientist, "why you lemmings all rush down to the sea and drown yourselves." "How curious," said the lemming. "The one thing I don't understand is why you human beings don't." >From Interview With a Lemming, by James Thurber CONFIDENTIALITY NOTICE: This E-mail and any attachments are confidential. If you are not the intended recipient, you do not have permission to disclose, copy, distribute, or open any attachments. If you have received this E-mail in error, please notify us immediately by returning it to the sender and delete this copy from your system. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
