java - How to configure Tomcat to not encode the session id into the URL when HttpServletResponse.encodeURL() is invoked

Question

Welcome To Ask or Share your Answers For Others

java - How to configure Tomcat to not encode the session id into the URL when HttpServletResponse.encodeURL() is invoked

asked Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

java - How to configure Tomcat to not encode the session id into the URL when HttpServletResponse.encodeURL() is invoked

Seems like a stupid question to which the answer would be "Don't use encodeURL()!" but I'm working with a codebase that uses netui anchor tags in the JSPs and I need to disable the writing of JSESSIONID into the URLs as it is a security risk.

In WebLogic, you can configure this by configuring url-rewriting-enabled in weblogic.xml (I know because I wrote that feature in the WebLogic server!). However, I can't find an equivalent config option for Tomcat.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-10-23T18:21:37+0000

Tomcat 6 supports the disableURLRewriting attribute that can be set to true in your Context element:

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html#Common_Attributes

Categories

java - How to configure Tomcat to not encode the session id into the URL when HttpServletResponse.encodeURL() is invoked

java - How to configure Tomcat to not encode the session id into the URL when HttpServletResponse.encodeURL() is invoked

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags