URL Rewriting is consider to be a significant security risk (session ID's get exposed in browser history, bookmarks, proxy servers and other server-side application logs).
I would like to propose that we create a patch for Tomcat that allows URL Rewriting to be completely disabled via configuration. Since this is a bit off the 2.5 spec, I think we might want to keep this turned on by default, with an option to disable. Several other Servlet 2.5 containers have implemented this idea some way. Anyone think this is a reasonable patch? How difficult do you think this will be, it so? Best Regards, Jim Manico --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
