Session Id is appended as URL path parameter in very first request to prevent this
This is the default behavior of a servlet container. If the client doesn’t include a cookie in the first request, the container cannot tell whether the client supports cookies or not. Therefore the container embeds the session id in the URL.
But you can disable this in your web.xml using the session-config element:
Various Attacks on Website :
1. Cross site Scripting Attacks : Because scripting is done by another site. A user will append some script in url or manipulate some parameters.So User can write script for stealing cookies or send data to another server that is controlled by hacker.So we have to care about session,cookie and database data.so we can white-list some tags which are allowed and which are not using blacklist.
2. Cross Site Request Forgery (CSRF)…
View original post 874 mots de plus