FAQ

On 5/21/07, Carlos Ortiz wrote:
Hi ,
Is there a way for dont show jsessionid in the adress bar , for my app
it may be a potential problem with security ?¡
Whether the session id shows in the URL (and therefore the address
bar) or not makes no difference at all from a security perspective.
If it is not in the URL, then it is stored in a cookie, and a
potential attacker can just look at the cookie value to see what it
is.
and also why some time is written and some other not. ?¡
The typical pattern goes like this:

* On the first request to an application, the servlet container
does not know whether you have cookies enabled, so it sends
the session id as *both* a URL path parameter and as a cookie.

* If the session id comes back in as a cookie, then the container
will assume you have cookies enabled and will stop sending
the session id as part of the URL.

* Otherwise, it will keep using URLs so that session affinity
can be maintained.

Craig


thx for the help


pd
Something off topic but still in java any ideas how parse a date like
this "2007-03-22T00:00:00-06:00" to a Date or Calendar obj ?¡
yyyy-MM-ddThh:mm:ss-z ? <-- that does not work



Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 2 | next ›
Discussion Overview
groupusers @
categoriesmyfaces
postedMay 21, '07 at 2:46p
activeMay 21, '07 at 5:14p
posts2
users2
websitemyfaces.apache.org

2 users in discussion

Craig McClanahan: 1 post Carlos Ortiz: 1 post

People

Translate

site design / logo © 2017 Grokbase