jsessionid or How to protect against WebSphere admins

This is a follow-up for the Beware of WebSphere admins post just below – read it to find out how this relates to the jsessionid discussion

My first immediate conclusion after the described deployment problems was to ban the use of the jsession cookie in future applications. If the application always includes the jsessionid parameter in URLs there’s nothing that can go wrong during deployment in terms of cookie paths.

Contemplating a second longer made it obvious that maybe this wouldn’t be such a wise decision after all. There are number of developers who try to enforce the exact opposite because the jsessionid URL suffix can be considered harmful. I highly recommend reading the following two blog posts that support this thesis:

http://randomcoder.com/articles/jsessionid-considered-harmful
http://boncey.org/2007_1_8_purging_jsessionid

Leave a Reply

Your email address will not be published. Required fields are marked *