Jim Manico wrote: > URL Rewriting is consider to be a significant security risk (session > ID's get exposed in browser history, bookmarks, proxy servers and other > server-side application logs). > > I would like to propose that we create a patch for Tomcat that allows > URL Rewriting to be completely disabled via configuration. Since this is > a bit off the 2.5 spec, I think we might want to keep this turned on by > default, with an option to disable. > > Several other Servlet 2.5 containers have implemented this idea some way. > > Anyone think this is a reasonable patch? Makes sense to me.
> How difficult do you think this will be, it so? I haven't looked in great detail but it looks like a trivial change to o.a.c.connector.Response.toEncoded() would do the trick. Configuration should probably be on the context to be consistent with the cookies parameter. Mark > > Best Regards, > Jim Manico > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
