I think JSF and Shale are! LOL :) Sorry Craig, couldn't resist :)
-- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Thu, July 28, 2005 10:50 am, [EMAIL PROTECTED] said: > Are you asking if Struts can control what URL your user types into his > browser? I could be wrong, but somehow, I don't think Struts is _that_ > powerful. ;) > > -Dennis > > > > > Josh Cronemeyer <[EMAIL PROTECTED]> > 07/28/2005 10:48 AM > Please respond to > "Struts Users Mailing List" <user@struts.apache.org> > > > To > Struts Users Mailing List <user@struts.apache.org> > cc > > Subject > Restricting Get requests > > > > > > > Part of the OWASP recommendations is that we do not allow authentication > and session data to be submitted via GET request, this includes the > session id. This comes from the OWASP top ten > (http://www.owasp.org/documentation/topten/a3.html) under A3.5 under > "Browser Caching" and "Session ID Protection". > > I can tell jsp's to pass parameters in using a POST request, but if the > user passes the parameters in through the url, I need to be able to > restrict that. Does anyone know of any way to do this in struts? > > Also, does anyone know how to force struts to not pass along the session > id if cookies are disabled? > > -- > Josh Cronemeyer > Information Network of Kansas > > "I don't understand," said the scientist, "why you lemmings all rush > down to the sea and drown yourselves." > > "How curious," said the lemming. "The one thing I don't understand > is why you human beings don't." > >>From Interview With a Lemming, by James Thurber > > CONFIDENTIALITY NOTICE: > This E-mail and any attachments are confidential. If you are not the > intended recipient, you do not have permission to disclose, copy, > distribute, or open any attachments. If you have received this E-mail > in error, please notify us immediately by returning it to the sender > and delete this copy from your system. > > Thank you. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
