> On 30/08/2011 23:46, shing.wai.chan_at_oracle.com wrote:
>> I have looked at the use case in more details. When there is load
>> balancer, the web container itself may not have enough information to
>> validate those port numbers before encoding.
For example, the web server has http port 80 and https port 443.
The load balancer (with two appservers) may forward http traffic to
18080, 28080, https traffic to 1443, 2443.
Suppose there is a http request to port 80, then the servlet encodes url
with https port 443.
In this case, we may want to append the jsessionid. But port 443 and
related information are in web server (not even in load balancer in some
vendors). So, in general, it is not easy to validate those redirect
ports in general cases.
(We want to validate the port is really the same server before appending
the jsessionid.)
Shing Wai Chan
> I'm sorry, but I don't understand the point you are making here. Could
> you expand please.
>
> Mark
>
>> In this case, I would suggest to just add a method to API so that users
>> can check whether the session is secure and do appropriate changes if
>> necessary.
>>
>> Shing Wai Chan