AW: Automatic URL-Encoding (sessionID)

[Ralph Einfeldt <ra...@uptime-isc.de>]

It is not possible and it's a quite difficult topic

excerpt from a earlier post of mine:

Even if it is possible to automagically encode the url's,
I wouldn't do it.
 
You would have to parse your output after it is generated
and before you really send it to the requesting client.
 
The parsing has to be quite flexible to recognise links
to external sites and links that don't go back to the 
server.

Links to external sites shouldn't include the session id. 
(That would open the door to steal the session).
There are several ways to code URL's in a way that it 
is hard to say which site will be the target. Just two
examples:
	1:
	<base href="some.server.domain"><a href="/some/image.gif"></a>
	2:
	<script>
	  someServer = 'someServer';
	  someFunction() {
	    return someServer + '/some/image.gif';
	  }
	</script>
	<a href="javasript:someFunction()">

You have to prevent the encoding on any link like 
<a href="javasript:history.go(-2)>

So this leads to quite some effort in development (or
organisation, if you try to come around this by enforcing
apropriate policies for your web developers) and
performance penalties. And I bet: you will never be shure
if there isn't a whole anywhere.

> -----Ursprüngliche Nachricht-----
> Von: Martin Lilienthal [mailto:Martin.Lilienthal@lilienthal-IS.com]
> Gesendet: Sonntag, 11. März 2001 16:21
> An: tomcat-user@jakarta.apache.org
> Betreff: Automatic URL-Encoding (sessionID)
> 
> 
> Hi,
> 
> is it possible to configure tomcat, that sessionIDs are automatically
> encoded into _every_ URL in JSPs without doing
> <%=response.encodeURL("/context/page.jsp")%>?
> 
> 
> 
> Thanks in advance
> 
> 
> Martin Lilienthal
> 
>