https://issues.apache.org/bugzilla/show_bug.cgi?id=49811
--- Comment #4 from Wesley <wesley.ache...@gmail.com> 2010-08-26 18:19:22 EDT --- (In reply to comment #3) > Unlikely duplicate of bug #40222: that one has to do with session id switching > during authentication. > Good I didn't think so but it did seem to conflict with the inital bug report. > I would recommend calling this configuration attribute/parameter > "disableURLRewriting" instead of "allowURLSessions". First, it includes the > word "rewriting" which is what the servlet spec calls this, and second, it > indicates that the default is that URL rewriting is ENABLED. 100% agreed. I thought of this afterwards. Initally I thought it may clarify for people who don't read the entire docs to mention specifically what the effect was though. > Please mention in the Javadoc that by setting this config parameter to TRUE > (that is, disabling URL rewriting), you are breaking the servlet specification > (mention chapter and verse, just to be clear). It may even be worth writing to > the log file during Context startup. Javadoc agreed. I'll need to find the area of the document. log message. I'm not sure when I put in debugging logs to the setter it was being called multiple times. I don't know where I would put it exactly. > > Also, spell-check your javadoc ;) Owch. Yeah I'm a bit dyslexic. 100% agree again though. > > You should probably also change the URL-parsing code that accepts jsessionid > parameters and have it ignore URL-supplied jsessionids, otherwise you aren't > really preventing session hijacking... you're just limiting the damage > stupidity can cause. Okay thats fair enough but I thought that I had :( Specifically I thought the changes to CoyoteAdapter.java covered this. > Other than that, it looks good to me. Thanks this is helpful. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
