Hi, I am calling session.invalidate() in my web application but this does not remove the JSESSIONID cookie.
So one of our customers has raised this as a security threat.
It's called JSESSIONID - It is an internal cookie (which you cannot manipulate) on the server. What we're after is someone who's done the session implementation but without any cookies - so classes that we then don't have to write - adding, removing things from sessions etc .... Cookies are useful only when you want to persist certain information with that client.
Once you response.encode URL(url); The server will automatically append ";jsessionid= Wierd. And take back the same information when he signs in next. You can enable the URL Rewriting which is supported by all the servers.
I will try and put the problem differently: I have a web application which presents a login page to the user.
User enters his user id and password and is logged in.
u have that option in the server for session tracking.
In which case - what I'm after is a set of code that someone else has already written that provides the same kind of functionality - so that we don't have to write it! But what I'm after - is avoiding writing a load of code to deal with this.
URL to something somewhere where someone has written code that provides session functionality WITHOUT using browser (client-side) cookies. All you need to do is encode your URL's (to include the session id) There's nothing more that you need to do.
So, sample code/URL's/articles would be most welcome if at all possible.
First, disable cookies in your browser then try the following test code.