Difference between encodeURL and encodeRedirectURL

Question

The javadoc for javax.servlet.http.HttpServletResponse is a little vague on the difference between what rules encodeURL and encodeRedirectURL follow, are there any examples of what those exact rules are? When will the output of encodeURL differ from encodeRedirectURL ?

For a concrete example, I am already generating a redirect url that I will use with response.sendRedirect(url) . I get that url already encoded, but I want to add a parameter to it which has a value that is another url:

param2=http://google.com

Which of the two functions do I use to encode this?

Answer 1

Salam Alekom Abduallah, I looked and looked for an answer I knew I would find it in either stackoverflow or coderanch and there I found the answer from Charles Lyons the author of the book in my hand right now it was a cheerful coincidence.

posted 8/9/2008 11:41 AM Exactly - the difference being that encodeURL always writes the session ID into the URL (if required eg because cookies are disabled), while encodeRedirectURL contains additional logic to determine if it is desirable to write the session ID in. It is a really bad idea to give foreign websites the session ID for example, since then they could impersonate your user's session. Hence encodeRedirectURL will only put the jsessionid on the URL if that URL lies within the current Web application, and not perform any rewriting otherwise.

Charles Lyons (SCJP 1.4, April 2003; SCJP 5, Dec 2006; SCWCD 1.4b, April 2004) Author of OCEJWCD Study Companion for Oracle Exam 1Z0-899 (ISBN 0955160340)

also I found this answer too which was posted earlier,

posted 4/19/2006 8:02 AM Quote Report post to moderator Hi,

The encodeURL is used to encode the url for session tracking in forward and include mechanism. The encodeRedirectURL encodes the specified URL for use in the sendRedirect method.

The main difference between two is, the implementation of encodeRedirectURL method includes the logic to determine whether the session ID needs to be encoded in the URL in the case when you are redirecting the URL to different context where the session information is not required or invalid. The encodeURL method do not appent the seesion id if the cookies are enabled. In addition to this encodeRedirectURL do not append the session information if the URL is redirected to the different context (web application). Because the rules for making this determination can differ from those used to decide whether to encode a normal link, this method is separete from the encodeURL method.

Hope this help you.

Thanks

Narendra Dhande

Answer 2

encodeURL() is used for all URLs in a servlet's output. It helps session ids to be encoded with the URL.

encodeRedirectURL() is used with res.sendRedirect only. It is also used for encoding session ids with URL but only while redirecting.