[
https://issues.apache.org/jira/browse/OFBIZ-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15054786#comment-15054786 ]
Jacques Le Roux commented on OFBIZ-4645:
----------------------------------------
Also a very interesting complement for those who doubt
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet> <link> creates links without jsessionid for users who have cookies disabled
> ---------------------------------------------------------------------------
>
> Key: OFBIZ-4645
> URL:
https://issues.apache.org/jira/browse/OFBIZ-4645> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Christoph Neuroth
>
> HtmlMenuRenderer.renderLink uses WidgetWorker.buildHyperlinkUrl to construct the URL. Other parts of OfBIZ use RequestHandler.makeLink. The latter will include the jsessionid as a parameter in the generated URL if neccessary (i.e. cookies are not available), but the former does not. Because of this, all links that are rendered using the <link> tag in an XML Form definition will send the user back to the login page.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
