servlet-spec
  1. servlet-spec
  2. SERVLET_SPEC-43

Clarify behaviour of HttpServletResponse#encodeURL() with relative URLs

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      The Javadoc for HttpServletResponse#encodeURL() states that "The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL."

      The Javadoc gives one example of a test. Another possible test that may be performed is "Is the URL part of the web application?". If it is not, the session ID does not need to be encoded in the URL.

      That highlights the question of how relative URLs should be treated. The options I see are:
      a) relative URLs are always assumed to be part of the web application
      b) relative URLs are always relative the current HttpServletRequest
      c) container specific
      d) something else

      My current expectation is that b) is the intended behaviour and that it was not explicitly stated since it was viewed as the only possible option. It would be helpful of this expectation could be confirmed or denied and either way if a clarification could be added to the Javadoc for 3.1 onwards (and earlier versions where possible).

      Note the same issue exists for encodeRedirectURL()

      This question was triggered by https://issues.apache.org/bugzilla/show_bug.cgi?id=53469

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            markt_asf
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: