Disabling re-writing for Tomcat sessions
1 posts in topic
Flat View  Flat View
Older Post First |   Reply to Topic
TOPIC ACTIONS:
 

Posted By:   Tim_Blair
Posted On:   Thursday, November 29, 2007 05:58 PM

I know this has probably been asked an answered before, but I've tried searching and haven't found anything.

Is there a way to restrict Tomcat's session management to only use cookies and never rewrite URLs to include the ;jsessionid=... part?


I know the Servlet spec says that URL rewriting is the last resort mechanism for sessions, but in our application, it is an absolute requirement that the session id never appear in the URL to prevent session hijacking.

Report | Quote This | Send private message | Reply | Print

Re: Disabling re-writing for Tomcat sessions

Posted By:   Robert_Lybarger  
Posted On:   Thursday, November 29, 2007 08:52 PM

I didn't turn up much in direct answer to the question either (odd, admittedly), but a suggestion on some other forum (let's call it a workaround) is to add a filter to strip the sessionid from the response. Don't know what that does to operational behavior or efficiency, just thought I'd throw that over to you. [/shrug]
Report | Quote This | Send private message | Reply | Print
About | Sitemap | Contact