W
whenshaw
Guest
Regarding the question about why the JSESSIONID is present at all in the URL: in addition to the reasons Edsel mentioned, one possibility is that the Web application is configured to send an X-CLIENT-CONTEXT-ID header in responses (you do this in the oeablSecurity---.xml or appSecurity---.xml file by setting the OEClientPrincipalFilter's ccid property to true). When that happens, the JSDO session management code adds the X-CLIENT-CONTEXT-ID header to future requests, AND adds the value as JSESSIONID to the URL, but doesn't do it correctly. As Edsel said, there is a bug logged and it is scheduled to be fixed.
Continue reading...
Continue reading...