You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2016/02/02 15:23:39 UTC

[jira] [Created] (OFBIZ-6872) Remove all sessionsIds put in URLs

Jacques Le Roux created OFBIZ-6872:
--------------------------------------

             Summary: Remove all sessionsIds put in URLs
                 Key: OFBIZ-6872
                 URL: https://issues.apache.org/jira/browse/OFBIZ-6872
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
    Affects Versions: Trunk
            Reporter: Jacques Le Roux
            Assignee: Jacques Le Roux
             Fix For: Upcoming Branch


We should always use sessionIds in cookies and newer have sessionsIds in URLs. So I will remove all sessionsIds in URLs. There are 2 cases:

#    the part related to spiders in RequestHandler
#    HtmlFormRenderer.appendExternalLoginKey() (there is also an appendExternalLoginKey method in MacroFormRenderer class but it's not used OOTB)

There are also many cases where we show the sessionId in logs (using UtilHttp.getSessionId()) I wonder if we should not keep those commented out or change the debug info level. Also HttpSessionEvent.getSession().getId() is directly used in some places for the same purpose (log)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)