Or, you could write a filter that checks request.isRequestedSessionIdFromURL()
and invalidates the session if it is. btw, if there is a cookie set, that
overrides anything provided in the url.
eric
This is what I ended up doing. Thanks.
-
ncludes the jsessionid in the new url. They
then bookmark the page (session id included) and end
up reusing it. It is possible (though unlikely) to
have two users conflict on a single session id this
way, so I eliminate the possibility entirely.
-marc
--- Chetan Sabnis <[EMAIL PROTECTED]> wro
Is there a way to disable the Tomcat server (5.5) from accepting
sessions that are sent in the URL using jsessionid? This would be
useful in preventing certain session fixation attacks. Basically, I
would want sessions to be accepted only if they are sent using a
cookie.
Specifically, I am conc
