Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] Disable URL Rewriting
(Sorry for the encoded message spam. This is the original message.)

Hi,

because URL Rewriting is not very secure (see https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management), I tried to completely disable it, but without success.
I understand and accept that clients not supporting Cookies won't be able to use my site.

I use jetty 9.0.5 and configure everything through a ServletContextListener. This is the relevant Code:

servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));

As I understand it, this should disable URL Rewriting, but on the first POST-request using a session, the redirect url is rewritten to include the jsessionid parameter.

I also tried:

servletContext.setInitParameter("org.eclipse.jetty.servlet.SessionIdPathParameterName","none");

but to no avail.

Right now I use a servlet filter to circumvent this behaviour.

My question is: Is this the expected behaviour? If yes, is there a more elegant standard way to only use cookies for session tracking?
I did not check the behaviour of tomcat, maybe that's worth investigating?


Thank you very much in advance :)

Back to the top