Hi all,
Joerg made a good point the other day (below) about always using URL rewriting rather than cookies, for security reasons. I've decided that we should do the same, since ours will be an e-commerce site and if somebody is using a public computer (like at a university) then closing the browser shouldn't leave that person logged in (and hence leave their personal account details vulnerable, even if somebody else can't place an order without entering a credit card).
I was also wrong in saying that the URLs were being encoded whether or not cookies are enabled--they're actually not, as I've verified today.
With all that said, how can I tell Tomcat to always encode the URLs? It says this in the API documentation for method encodeURL() in the interface HttpServletResponse:
"Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary."
This doc is here: "http://java.sun.com/j2ee/sdk_1.2.1/techdocs/api/javax/servlet/http/HttpServletResponse.html#encodeURL(java.lang.String)"
Not a Tomcat-specific doc, but the behavior matches what I'm seeing.
Sonny
From: Joerg Heinicke <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: URLs being encoded WITH cookies enabled Date: Tue, 26 Aug 2003 10:16:21 +0200
Sonny Sukumar wrote:
Anyhow, 2 other reasons I'd prefer URL/link rewriting not to occur when cookies are enabled:
1.) It takes up precious time to parse a document and rewrite links.
IMO this can be ignored. The second reason is much more important.
We do the link rewriting ourself in a XSLT stylesheet when generating the page. This is especially useful if you need rewritten JavaScript links.
2.) If someone closes the browser, the session is gone, whereas a cookie still remains even after closing the browser and can be used to re-establish the same session, provided the session is still valid on the server.
This is true and maybe important for you or your user's comfort. As we develope mostly applications related to banking or payment the security issues are more important for us. If anybody leaves his PC for 5 minutes for smoking or coffee nobody else shall simply open the browser and order something with the other one's identity. So we abstain from cookies completely.
Joerg
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________ MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
