Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-1052: Add option to prevent URL rewriting of jsessionid #1303
This is often seen as a security risk:
“Do not expose any session identifiers or any portion of valid credentials in URLs or logs (no session rewriting or storing the user’s password in log files)”
We should add an option in the namespace (and the HttpSessionSecurityContextRepository) to override URL encoding and prevent the id being written to the URL.
Chas Emerick said:
FYI, this should probably get added to the documentation here: