You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by William Stranathan <sh...@gmail.com> on 2005/07/07 18:01:05 UTC
Turning off jsessionid on URL?
Is there a configuration parameter to ONLY send the jsessionid by
cookie, not on the URL bar?
Picture this, user goes to your site http://www.yoursite.com/yourapp
yoursite redirects to the menu page, which gives a jsessionid. That
page is under an auth-constraint and requires login, so you get
displayed the login page, but the URL you've been redirected to
includes the jsessionid - like:
http://www.yoursite.com/yourapp/Menu.do;jessionid=D2DC09EB64CBC7690BCEA68CA484B4C3
User wants to share the site with their friends, so they copy/paste
from the URL bar. Then they log in - their session is now logged in,
AND they have the same session ID.
And yes, this does work - I'm able to copy/paste between different
browsers (exploder and firefox) and the session works fine.
Is there a way to turn that feature off?
w
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Turning off jsessionid on URL?
Posted by Michael Jouravlev <jm...@gmail.com>.
See my question about two weeks ago on how to detect jsessionid in the
URL. Looks like it is not directly possible, but you can use our own
request parameter to find this out. After you detect that jsessionid
is in the URL (the harder part), make another redirect to the same
location, and URL will come clean.
Michael.
On 7/7/05, William Stranathan <sh...@gmail.com> wrote:
> Is there a configuration parameter to ONLY send the jsessionid by
> cookie, not on the URL bar?
>
> Picture this, user goes to your site http://www.yoursite.com/yourapp
> yoursite redirects to the menu page, which gives a jsessionid. That
> page is under an auth-constraint and requires login, so you get
> displayed the login page, but the URL you've been redirected to
> includes the jsessionid - like:
> http://www.yoursite.com/yourapp/Menu.do;jessionid=D2DC09EB64CBC7690BCEA68CA484B4C3
> User wants to share the site with their friends, so they copy/paste
> from the URL bar. Then they log in - their session is now logged in,
> AND they have the same session ID.
>
> And yes, this does work - I'm able to copy/paste between different
> browsers (exploder and firefox) and the session works fine.
>
> Is there a way to turn that feature off?
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Turning off jsessionid on URL?
Posted by William Stranathan <sh...@gmail.com>.
I only sent the message once. I apologize for any inconvenience, but
I wonder if gmail and/or ezmlm are having issues today - I've received
the welcome message from ezmlm four times now.
w
On 7/7/05, Tim Funk <fu...@joedog.org> wrote:
> Please stop posting the same question 4 times and please wait for a response.
>
> The answer to the question below is no. There is no switch. To not use URL
> rewriting, do not utilize the method HttpServletResponse.encodeURL(). Of
> course - this requires a code rewrite.
>
> The easier solution is to implement a servlet filter which creates a
> HttpServletResponseWrapper which overrides encodeURL and encodeRedirectURL
>
> -Tim
>
> William Stranathan wrote:
>
> > Is there a configuration parameter to ONLY send the jsessionid by
> > cookie, not on the URL bar?
> >
> > Picture this, user goes to your site http://www.yoursite.com/yourapp
> > yoursite redirects to the menu page, which gives a jsessionid. That
> > page is under an auth-constraint and requires login, so you get
> > displayed the login page, but the URL you've been redirected to
> > includes the jsessionid - like:
> > http://www.yoursite.com/yourapp/Menu.do;jessionid=D2DC09EB64CBC7690BCEA68CA484B4C3
> > User wants to share the site with their friends, so they copy/paste
> > from the URL bar. Then they log in - their session is now logged in,
> > AND they have the same session ID.
> >
> > And yes, this does work - I'm able to copy/paste between different
> > browsers (exploder and firefox) and the session works fine.
> >
> > Is there a way to turn that feature off?
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Turning off jsessionid on URL?
Posted by Tim Funk <fu...@joedog.org>.
Please stop posting the same question 4 times and please wait for a response.
The answer to the question below is no. There is no switch. To not use URL
rewriting, do not utilize the method HttpServletResponse.encodeURL(). Of
course - this requires a code rewrite.
The easier solution is to implement a servlet filter which creates a
HttpServletResponseWrapper which overrides encodeURL and encodeRedirectURL
-Tim
William Stranathan wrote:
> Is there a configuration parameter to ONLY send the jsessionid by
> cookie, not on the URL bar?
>
> Picture this, user goes to your site http://www.yoursite.com/yourapp
> yoursite redirects to the menu page, which gives a jsessionid. That
> page is under an auth-constraint and requires login, so you get
> displayed the login page, but the URL you've been redirected to
> includes the jsessionid - like:
> http://www.yoursite.com/yourapp/Menu.do;jessionid=D2DC09EB64CBC7690BCEA68CA484B4C3
> User wants to share the site with their friends, so they copy/paste
> from the URL bar. Then they log in - their session is now logged in,
> AND they have the same session ID.
>
> And yes, this does work - I'm able to copy/paste between different
> browsers (exploder and firefox) and the session works fine.
>
> Is there a way to turn that feature off?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: control ports on windows
Posted by Alan Chandler <al...@chandlerfamily.org.uk>.
On Thursday 07 July 2005 17:25, Tony Smith wrote:
> Hi, I am running Tomcat 5.0 on Windows. But what I
> want to do it not link to Tomcat. I would like to know
> how to control all those ports. For example, I would
> like to open 8080 but close 8089, etc...
>
>
> Thanks,
1) Don't hijack someone elses thread for your self (you even seemed to have
asked the writer of the original thread directly rather than the list)
2) Be a bit clearer in what you are asking. What does "what I want to do it
[is?] not link to Tomcat" mean? In particular what is the rather ambiguous
word "link" meant to mean? Are you talking about connecting another web
server, and if so which one?
3) Tell us what you have done to try and figure it out for yourself - Hint:
have you looked at server.xml?
--
Alan Chandler
http://www.chandlerfamily.org.uk
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
control ports on windows
Posted by Tony Smith <qu...@yahoo.com>.
Hi, I am running Tomcat 5.0 on Windows. But what I
want to do it not link to Tomcat. I would like to know
how to control all those ports. For example, I would
like to open 8080 but close 8089, etc...
Thanks,
____________________________________________________
Sell on Yahoo! Auctions no fees. Bid on great items.
http://auctions.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org