Am 26.08.2014 um 23:52 schrieb Filip Hanik:
but our cookies, JSESSIONID, doesn't have to be UTF-8, does it? this goes hand in hand with the SessionIdGenerator that Rainer just did, can that return UTF-8 values?
We currently only bundle one impl of that and that impl hasn't changed, so it still uses random bytes encoded in hex digits.
But: as we know it appends the jvmRoute if set. That a user could try to set as UTF-8. But I guess it is extremely unlikely due to the jvmRoute often also being used in other legacy config files which don't support UTF-8.
A custom implementation of SessionIdGenerator currently would be free to return any string it likes. We can still change the API or docs though, it hasn't yet had any release.
I personally would find it bad practise to generate session IDs with non-ascii characters or even characters from the reserved set because the correct handling of that in all cases (cookie, uri encoded; load balancers, proxies etc.) would be unnecessarily fragile. Should I add something along those lines to the SessionIdGenerator docs?
Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
