Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.0.3
-
Fix Version/s: 1.1-beta1
-
Component/s: None
-
Labels:None
Description
I'd like to disable URL-based sessions completely, for a variety of reasons – both security (please – hijack my session! Just go to this URL!) and practical (hoses up my webtests by mangling URLs).
In order to do this, I did a "grails install-templates", and then edited ./src/templates/war/web.xml to implement the filter supplied at "http://randomcoder.com/articles/jsessionid-considered-harmful" (which also has a nice summary of issues associated with it, and good comments).
I asked if I should package this as a plugin, and Marc Palmer suggested JIRAing the whole JSessionID idea, since it's a relatively new addition and it has so many fundamental problems. He statement was – "It has caused me nothing but trouble also - for example you have to strip it when generating links to feeds. "
So, the request is to remove the JSessionID functionality completely, or at least to default to it being off and forcing users to turn it on explicitly.
Adding this to web.xml:
<context-param>
<param-name>org.mortbay.jetty.servlet.SessionURL</param-name>
<param-value>none</param-value>
</context-param>
Just gives you this tacked to the end of your URLs:
";none=fokgrnvhr037"
So the filter[1] is necessary in Grails.
[1] http://randomcoder.com/articles/jsessionid-considered-harmful