On 28 November 2014 at 23:19, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> > What if generated HTML contains a href with the session ID encoded in the
> > URL
>
> In sessionless mode (which includes scoping the session to a request)
> there won't be a session ID encoded to the URL, since pretty much the
> entire idea is to not have sessions.
I have seen many applications that do their own appending of session ID to
generated URL's, or that include it in a Ajax response. So if a fake
session is being generated, it will have an ID (else other code might fail)
and I do not think we can prevent that session ID leaking back to the
client in all cases.
I think the technique described of using a HttpSessionListener is
sufficient. Note that such a listener could also just invalidate the
session and not throw an error. An alternate technique would be to
register a ServletRequestListener that does an invalidate on
requestDestroyed.
What other flexibility is needed?
--
Greg Wilkins <gregw_at_intalio.com> @ Webtide - *an Intalio subsidiary*
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com advice and support for jetty and cometd.