DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

bugzilla Mon, 23 Jun 2008 01:58:55 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=45255






--- Comment #2 from Rainer Jung <[EMAIL PROTECTED]>  2008-06-23 01:58:29 PST ---
Hi Mark,

Spec 7.1 seems to say:

- a compliant container may support URL encoded sessions ("may be used")
- if it does support them, it has to use the path parameter "jsessionid"

So if a site decides to only use cookies because of security, it could be an
interesting option to allow not even accepting session IDs which were URL
encoded.

What do you think?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

Reply via email to