On 06/ 4/09 03:35 PM, glassfish_at_javadesktop.org wrote:
>
>> The V2.1 only appends the jsessionid to the url, if
>> the particular app runs either in context root / or
>> if the main applett carries the same name as the
>> package itself (war-file-name).
>>
>> If you have to deny cookies for security reasons
>> you'll go precisely through a surprise.
>>
>
> What does this have to do with virtual servers? How is this a bug? How is this a security issue?
>
I agree with Wolfram (thanks, Wolfram and Martin, for stepping in).
I'm actually having a hard time understanding what Dave meant.
Dave, can you give an example where a JSESSIONID was not appended
to a URL when you thought it should have been?
If you have a webapp ("mywebapp.war") deployed at "/mywebapp", and you're
accessing a resource in "mywebapp.war" that creates an HTTP session,
then the session's
JSESSIONID will be appended to only those URIs that also start with
"/mywebapp",
because sessions are scoped to webapps.
For example, if you are redirecting to a URI that starts with
"/myotherwebapp", then the
JSESSIONID will not be appended, because you'll be crossing webapp (and
therefore
session manager) boundaries.
Does this answer your question?
Jan
>
> http://forums.java.net/jive/thread.jspa?messageID=349214
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>