我该如何处理会话URL很长但无法附加JSESSIONID = 389729387392。对此有什么解决方案？

Question

I got the answer for If I disabled the cookies then using URL ReDirect I can pass the JSESSIONID but my URL is already very long as I use the GET method it has constraint. Then how should I use my sessions.I want my application to be very security intensive. This is one of the question asked to my friend in GOOGLE interview.

Answer 1

As far as I understand, your main problem with JSESSIONID in the URL is the total length.

Perhaps you should have a closer look at why the length of the URLs are too long in the first place. Since you allready have a session, it is not unlikely you can move some GET parameters to the session. There are also lots of different way to make shorter URLs for pages (a la mod_rewrite).

With regards to security, JSESSIONID is just as vunerable with HTTP GET as HTTP POST. The base64 encoding HTTP POST does is not a security measure at all. The best way to gain a bit more security is to encrypt the transport channel through TLS/SSL, in effect enable HTTPS. This will make sure that eavesdropping (or man in the middle attacks) will not have access to the plain text.

Answer 2

Apart from using one-letter parameter names (eg ?a=value1&b=value2&c=value3 or using RESTFul-like URL's (ie just the pathinfo, no query parameters, eg /value1/value2/value3 , which is accessible by HttpServletRequest#getPathInfo() in the servlet) instead of ?name1=value1&name2=value2&name3=value3 , you can also consider to Gzip and Base64-encode the query string so that it becomes shorter. Both JavaScript and Java are capable of (de)compressing and (d)e(n)coding it. You can eventually format the query string in JSON before compressing/encoding, it will be shorter in case of arrays/collections/maps.

That said, are you sure that the request URL's are often that unfriendly long (assuming that it's over 255 characters)? Why would you need to pass that much information in? Are they supposed to maintain the client state? If so, you shouldn't use the URL for this, but the HttpSession instance in the server side which is already associated with the jsessionid cooke. Use HttpSession#setAttribute() to store some information in session and use HttpSession#getAttribute() to retrieve it.

Answer 3

If you want your application to be security intensive why are you using GET. Use POST. This will also reduce the URL length.

As such, as per the HTTP protocol there is no max length limit to URL length. Most of the time its the browser that puts in the max length limit. Try different browsers

You should put forward the above points to the interviewer. They might be more interested in your ability to assess the system as a whole and identify any fundamental flaws.

Answer 4

If the URL is too long then you have to store that data somewhere else. Most sites would put the session ID in a cookie.