Clarify behavior of HttpServletResponse.encodeURL and HttpServletResponse.encodeRedirectURL

[ChristopherSchultz]

According to the JavaDoc for HttpServletResponse.encodeURL, the URL should be modified "by including the session ID, or, if encoding is not needed, returns the URL unchanged".

While the phrase "is not needed" is not precisely defined, there is an example:

For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

I raised a question on the Apache Tomcat development mailing list about CSRF tokens and used the example of HttpServletResponse.encodeURL for potential guidance on how our CSRF prevention should work. Our current implementation of HttpServletResponse.encodeURL will add the ;jsessionid=... parameter to the URL each time encodeURL is called. What is the expected behavior from a specification perspective?

If we were to implement a smarter encodeURL to avoid adding multiple ;jsessionid=... parameters, would that be in-line with the intent of the specification, or a vendor-extension that doesn't really belong?

[gregw]

For a data point, the Jetty implementation will add a jsessionid= to the URL IFF:

• support for session URL parameters are configured
• the URL is for the same server, port and context path
• there is not already a jsessionid encoded
• there is not a validated session cookie associated with the request