Re: [JSF spec issues] session id

From: Edward Burns <>
Date: Tue, 3 Apr 2012 14:12:06 -0700 is the right place. I've added this list
to the To:

>>>>> On Sun, 01 Apr 2012 22:43:16 +0200, =?ISO-8859-15?Q?Michael_M=FCller?= <> said:

MM> Maybe the wrong place for this post, maybe somthing to think about for
MM> the upcomming version:

MM> I build up a small app to list the books I reviewed (some of my eldest
MM> reviews deal about JavaServer Faces 2 from Ed as well as same title from
MM> Martin, ). Now, to show a review, I need to call my page together with
MM> an id. Intention is to get a bookmarkable link for a dynamic application.


MM> But in fact, mostly a session Id is added to the URL.


MM> Such an address is a terrible referring to search engines. And if I
MM> monitor my network traffic, I'll recognize a cookie for the session id.
MM> So far, why is the session id added to the URL? Is it possible to
MM> suppress this behavior? Or to use post instead of get?

MM> On the other hand, for critical applications I need a varying (unique)
MM> access token beside the session id (session id via cookie, security
MM> token via get or post parameter). I have to create this by my app. It
MM> would be great to add a feature "access token" (configurable!) wich adds
MM> a unique token on each request.

Manfred, This is exactly the sort of thing I was hoping we could avoid.
I know you assert that this is really a problem in the servlet impl, but
as you can see here, the impression is that it's a JSF problem. In the
name of keeping the customer happy, is there anything we can do,
assuming the servlet impl does *not* change, to make Hr. Mueller happy



| | office: +1 407 458 0017
| homepage:               |