https://issues.apache.org/bugzilla/show_bug.cgi?id=49811
--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> 2010-08-26 17:48:19 EDT --- Unlikely duplicate of bug #40222: that one has to do with session id switching during authentication. Some comments on the patch: I would recommend calling this configuration attribute/parameter "disableURLRewriting" instead of "allowURLSessions". First, it includes the word "rewriting" which is what the servlet spec calls this, and second, it indicates that the default is that URL rewriting is ENABLED. This, of course, requires that you invert the logic of the entire patch :) Please mention in the Javadoc that by setting this config parameter to TRUE (that is, disabling URL rewriting), you are breaking the servlet specification (mention chapter and verse, just to be clear). It may even be worth writing to the log file during Context startup. Also, spell-check your javadoc ;) You should probably also change the URL-parsing code that accepts jsessionid parameters and have it ignore URL-supplied jsessionids, otherwise you aren't really preventing session hijacking... you're just limiting the damage stupidity can cause. Other than that, it looks good to me. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
