my dog learned polymorphism*
The moose likes JSP and the fly likes JSTL c:url and Fragment Caching: Big Security Risk! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "JSTL c:url and Fragment Caching: Big Security Risk!" Watch "JSTL c:url and Fragment Caching: Big Security Risk!" New topic
Author

JSTL c:url and Fragment Caching: Big Security Risk!

Andreas Schildbach
Ranch Hand

Joined: Jan 22, 2003
Posts: 34
Hello everyone,
I am using the <c:url> standard tag lib tag for constructing nearly all links in my application.
Now I realized that <c:url> also appends the jsessionid parameter to the URL if the client does not support cookies. This can be a big security problem if you use fragment caching on content that contains URLs generated by <c:url>. Not only do cache hits deliver the wrong jsessionid for the user requesting, its also a valid id for another users session!
My question: Is it possible to disable the URL rewriting feature completely for the standard tag lib? I'd still like to use <c:url> because of its encoding and context path prepending facilities.
Regards,
Andreas
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: JSTL c:url and Fragment Caching: Big Security Risk!
 
Similar Threads
${pageContext. request. contextPath} or c:url JSTL tag
URL-Rewriting does not work
Struts Refresh Page
can I use url rewriting with frames and jsps?c:url??
Can a request be forwarded to a resource in different web application and the same web container?