[
https://issues.apache.org/jira/browse/OFBIZ-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15054232#comment-15054232 ]
Jacques Le Roux commented on OFBIZ-4645:
----------------------------------------
This is disputable see my comment at OFBIZ-1690. Long story short, people should not disable OFBiz cookies and jsessionid is not secure. OK I disable cookies with tons of plugins in Firefox, but not OFBiz cookies, localhost and apache.org at least.
If nobody disagree I will close as not a problem but I really wonder if we should not even disable the feature in RequestHandler.makeLink (boolean forceManualJsessionid = !cookies) and rather warn users that they should able OFBiz cookies when using an OFBiz based site.
> <link> creates links without jsessionid for users who have cookies disabled
> ---------------------------------------------------------------------------
>
> Key: OFBIZ-4645
> URL:
https://issues.apache.org/jira/browse/OFBIZ-4645> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Christoph Neuroth
>
> HtmlMenuRenderer.renderLink uses WidgetWorker.buildHyperlinkUrl to construct the URL. Other parts of OfBIZ use RequestHandler.makeLink. The latter will include the jsessionid as a parameter in the generated URL if neccessary (i.e. cookies are not available), but the former does not. Because of this, all links that are rendered using the <link> tag in an XML Form definition will send the user back to the login page.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
