I had sent the email below earlier today. Note that it includes
jsessionid encoded in the URL.
Now in this case, there is nothing particularly sensitive about
opensolaris.org.
But what are the security ramifications of a web site including
jsessionid in the URL itself like this? Would this allow someone to
hijack the session if the URL could be observed (or simply emailed as
I've done).
Lloyd
Begin forwarded message:
> From: Lloyd Chambers <lloyd.chambers_at_sun.com>
> Date: July 25, 2008 2:52:57 PM PDT
> To: arch_at_glassfish.dev.java.net
> Cc: webtier_at_glassfish.dev.java.net
> Subject: Re: [arch] Requesting feedback on one pager for Webtier for
> v3 Prelude release
>
> Rajiv,
>
> For Imported interfaces, please use current terminology eg Committed/
> Uncommitted/Volatile.
>
> http://opensolaris.org/os/community/arc/policies/interface-taxonomy/;jsessionid=095343034A3BBCE0A05225EA90E5588E
>
> This comment applies to all the one-pagers.
>
> Lloyd
>
>
>
> On Jul 25, 2008, at 9:50 AM, Rajiv Mordani wrote:
>
>> All,
>> Please provide your feedback on the proposed changes for the
>> webtier for v3 Prelude release by August 1st. The one pager can be
>> found at
>>
>> http://wiki.glassfish.java.net/Wiki.jsp?page=V3webtierFunctionalSpec
>>
>> Thanks
>>
>> - Rajiv
>