The issue here is that we want to control session tracking. In the web.xml file you may have something that looks like:
OK, let me re-phrase that. You were expecting that, but instead you have:
This is a problem. You see we are trying to be more secure around our session and having the JSESSIONID in the URL is not helping much with that. Well, we can perhaps keep our application safe, and frustrate our developer slightly if he doesn't figure out this little bit of magic. We can control the session tracking programmatically in an "obvious" well-known location. We can enlist a
ServletContextListener
to help us.The ServletContextListener can help us by listening for when our application is being initialized, and set the session tracking back to COOKIE for us. The implementation is simple, and will help foil the "developer mode-itis" that sometimes infects the code.
No comments:
Post a Comment