- All Implemented Interfaces:
Prevents sessions from being created. Without sessions, minimal information
should be stored as cookies. In the event cookies are disabled, this filter
also adds the cookie values during URL rewriting. Any cookies added to the
URLs through rewriting will have a parameter name beginning with
cookie: (by default).
Only cookie names and values are encoded as URL parameters. Comments, paths, and other attributes are lost.
To ensure no namespace conflicts with cookies potentially rewritten as URL
parameters, any parameter in the request beginning with
cookie: (by default)
is filtered, even if it doesn't currently match an allowed cookie name.
The result of
getQueryString, however, is unaltered any may possibly
contain cookie parameters.
Any cookie name that is not in the configured list of cookies names is ignored and not presented to the application, whether it came from HTTP headers or URL parameters.
In the event a cookie value is available from both the headers and the URL parameters, the headers take precedence.
Note: If using JSP, add
session="false", for example:
<%@ page language="java" session="false" %>
Consider using in conjunction with
session-config to ensure that
;jsessionid is never added to the URLs.
TODO: Idea: When only one cookie name is allowed, convert it to be just the cookie symbol itself? This would means cookies would be lost when a second cookie added, but would be a cool short URL otherwise. Or a second init parameter that specifies which cookie name is the "shortCookie"? Or do we allow each cookie to mapped to a custom name instead of prefix + name?
TODO: Support empty cookieUrlParamPrefix? This would make it more difficult to separate cookies and parameters. It would make it where any cookie name allowed here would effectively never be able to be used as a parameter.
Field SummaryModifier and TypeFieldDescription
static final intThe maximum number of cookie names allowed.
MAXIMUM_COOKIESpublic static final int MAXIMUM_COOKIESThe maximum number of cookie names allowed.
- See Also:
initpublic void init
doFilterpublic void doFilter
(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
destroypublic void destroy()