[purplemug]

Small suggestion — when the Struts designer generates a JSP with a form, the form method should default to post, for example:

<html:form action=”/userLogin” method=”post”>

instead of

<html:form action=”/userLogin”>

The reason for this is that without the explicit post, the request defaults to get. Then, the application exposes the session ID as part of the displayed URL in the browser address after the form submits. You see this, for example, if you follow the quickstart tutorial — after sumitting the login page, the login success page URL displays the session ID:

http://localhost:8080/StrutsLoginDemo/userLogin.do;jsessionid=C6A2472C89E71B5D11033A7F75548B17

This violates security policy in many organizations.

Thanks

—————–

*** Date: Wed Oct 12 13:44:01 EDT 2005

*** System properties:
OS=WindowsXP
OS version=5.1
Java version=1.5.0_03

*** MyEclipse details:
MyEclipse Enterprise Workbench

Version: 4.0.2 GA
Build id: 20051010-4.0.2-GA

*** Eclipse details:
Eclipse SDK

Version: 3.1.1
Build id: M20050929-0840

Eclipse Platform

Version: 3.1.1
Build id: M20050929-0840

Eclipse RCP

Version: 3.1.1
Build id: M20050929-0840

Eclipse Java Development Tools

Version: 3.1.1
Build id: M20050929-0840

Eclipse Plug-in Development Environment

Version: 3.1.1
Build id: M20050929-0840

Eclipse Project SDK

Version: 3.1.1
Build id: M20050929-0840

Eclipse startup command=-os
win32
-ws
win32
-arch
x86
-launcher
C:\eclipse\eclipse.exe
-name
Eclipse
-showsplash
600
-exitdata
3a0_48
-vm
C:\WINDOWS\system32\javaw.exe

[Riyad Kalla]

Thank you for the suggestion, I will let the dev team know.

[Author]

Posts