> From: Scott Hamilton [mailto:scott.hamil...@plateau.com] > Subject: Is there a better way to disable JSESSIONID in the URLs? > > there is no way to disable tomcat from putting the JSESSIONID in URLs > automatically with a nice friendly global switch/property.
Tomcat won't put the jsessionid in the URL unless cookies are disabled. If they are, then your webapp could refuse to talk to the client. > We have an app whose security is a concern for our customers, and > JSESSIONIDs appearing in the URLs freak them out And the id value in a cookie doesn't? What stops anyone from e-mailing the cookie to someone else? If someone is truly concerned about security, then they *must* run *all* traffic through SSL. If the customers don't do that, they're not really concerned, despite whatever words they're using. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org