dev@javaserverfaces.java.net

Re: [JSF spec issues] session id

From: Edward Burns <edward.burns_at_oracle.com>
Date: Tue, 3 Apr 2012 14:12:06 -0700

dev_at_javaserverfaces.java.net is the right place. I've added this list
to the To:

>>>>> On Sun, 01 Apr 2012 22:43:16 +0200, =?ISO-8859-15?Q?Michael_M=FCller?= <michael.mueller_at_mueller-bruehl.de> said:

MM> Maybe the wrong place for this post, maybe somthing to think about for
MM> the upcomming version:

MM> I build up a small app to list the books I reviewed (some of my eldest
MM> reviews deal about JavaServer Faces 2 from Ed as well as same title from
MM> Martin, ). Now, to show a review, I need to call my page together with
MM> an id. Intention is to get a bookmarkable link for a dynamic application.

MM> http://it-rezension.de/review.xhtml?reviewId=2

MM> But in fact, mostly a session Id is added to the URL.

MM> http://it-rezension.de/review.xhtml;jsessionid=f8461100d79ed1ee829519595257?reviewId=2

MM> Such an address is a terrible referring to search engines. And if I
MM> monitor my network traffic, I'll recognize a cookie for the session id.
MM> So far, why is the session id added to the URL? Is it possible to
MM> suppress this behavior? Or to use post instead of get?

MM> On the other hand, for critical applications I need a varying (unique)
MM> access token beside the session id (session id via cookie, security
MM> token via get or post parameter). I have to create this by my app. It
MM> would be great to add a feature "access token" (configurable!) wich adds
MM> a unique token on each request.

Manfred, This is exactly the sort of thing I was hoping we could avoid.
I know you assert that this is really a problem in the servlet impl, but
as you can see here, the impression is that it's a JSF problem. In the
name of keeping the customer happy, is there anything we can do,
assuming the servlet impl does *not* change, to make Hr. Mueller happy
here?

Thanks,

Ed

-- 
| edward.burns_at_oracle.com | office: +1 407 458 0017
| homepage:               | http://ridingthecrest.com/