Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSTL c:url and Fragment Caching: Big Security Risk!

 
Andreas Schildbach
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,
I am using the <c:url> standard tag lib tag for constructing nearly all links in my application.
Now I realized that <c:url> also appends the jsessionid parameter to the URL if the client does not support cookies. This can be a big security problem if you use fragment caching on content that contains URLs generated by <c:url>. Not only do cache hits deliver the wrong jsessionid for the user requesting, its also a valid id for another users session!
My question: Is it possible to disable the URL rewriting feature completely for the standard tag lib? I'd still like to use <c:url> because of its encoding and context path prepending facilities.
Regards,
Andreas
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic