Reputation: 971
Weblogic url-rewriting true only if cookies are off
I want to have an application deployed on a weblogic container that uses url rewriting only if cookies are disabled in the browser.
I need this because even if the browser has cookie enabled, on the first request url-rewritting is used. So the url looks something like
mysite.com/go;jsessionid=YZLVTW3P1fPdLFc28BxgN72zhmXNGMpkYpwnTflDGJy9Gvp7R61n!-128874051
And I wold like it to be
mysite.com/go
if cookies are enabled and append the jsessionid only if cookies are disabled.
I have now the following configuration in weblogic.xml
<session-descriptor>
<debug-enabled>true</debug-enabled>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
<url-rewriting-enabled>true</url-rewriting-enabled>
<cookies-enabled>true</cookies-enabled>
<cookie-secure>true</cookie-secure>
</session-descriptor>
Does any one know if it is possible to enable
<url-rewriting-enabled>true</url-rewriting-enabled>
only if cookies are disabled?
How would you do something like this? Java code filter?
More details: what I need is to have behaviour that is like this
<session-descriptor>
<url-rewriting-enabled>true</url-rewriting-enabled>
<cookies-enabled>false</cookies-enabled>
</session-descriptor>
and
<session-descriptor>
<url-rewriting-enabled>false</url-rewriting-enabled>
<cookies-enabled>true</cookies-enabled>
</session-descriptor>
Or something that mimics this (even java filter would be good), url-rewriting-enabled only if cookies are disabled. As I said on the first request I do get the jsessionid even though cookies are enabled.
Upvotes: 2
Views: 7412
Answers (1)
Reputation: 6227
The docs say you should not turn on url-rewriting-enabled if you also turn on cookie-secure:
http://docs.oracle.com/cd/E15051_01/wls/docs103/webapp/weblogic_xml.html#wp1071982
I found multiple other references that also mention, no, you cannot have both secure cookies and url rewriting enabled. This source goes into greater detail on the merits of each to help you make a choice:
http://j2eesecurity.blogspot.com/2007/11/cookies-vs-url-rewriting.html
Upvotes: 2
Related Questions
- How can I prevent URL rewriting with JSESSIONID in WebLogic?
- Session Handling without Cookies and URL rewriting
- Application Cookies does not change
- Support for multiple cookie-domains in weblogic
- Setting a default CookieManager on WebLogic has no effect
- Why can't both HTTP Only and Secure flags be set in the cookies using Apache WebLogic?
- web.xml validation in Weblogic throws error because of cookie-config
- multiple cookie names with same name on different paths
- Weblogic 11g URL Rewrite
- How to identify website visitor when cookies disabled and URL rewriting is not allowed?