5

I've seen the existing question: Difference between encodeURL and encodeRedirectURL. But it doesn't answer the question really. In my testing, these two methods look like to do the same. Whatever I use to print or sendRedirect, they both work fine.

So is there really any difference? I want to see the source code so maybe I can find the difference, but HttpServletResponse is an interface with no implementation. Where is the implementation code?

Community
  • 1
  • 1
Hesey
  • 4,957
  • 6
  • 31
  • 31

3 Answers3

5

but HttpServletResponse is an interface with no implementation. Where is the implementation code?

It's the servletcontainer itself which is the concrete Servlet API implementation. In case of for example Apache Tomcat the concrete implementation is the org.apache.catalina.connector.Response. Here are the extracts of relevance:

 1128       /**
 1129        * Encode the session identifier associated with this response
 1130        * into the specified redirect URL, if necessary.
 1131        *
 1132        * @param url URL to be encoded
 1133        */
 1134       public String encodeRedirectURL(String url) {
 1135   
 1136           if (isEncodeable(toAbsolute(url))) {
 1137               return (toEncoded(url, request.getSessionInternal().getIdInternal()));
 1138           } else {
 1139               return (url);
 1140           }
 1141   
 1142       }

 1159       /**
 1160        * Encode the session identifier associated with this response
 1161        * into the specified URL, if necessary.
 1162        *
 1163        * @param url URL to be encoded
 1164        */
 1165       public String encodeURL(String url) {
 1166           
 1167           String absolute = toAbsolute(url);
 1168           if (isEncodeable(absolute)) {
 1169               // W3c spec clearly said 
 1170               if (url.equalsIgnoreCase("")){
 1171                   url = absolute;
 1172               }
 1173               return (toEncoded(url, request.getSessionInternal().getIdInternal()));
 1174           } else {
 1175               return (url);
 1176           }
 1177   
 1178       }

The difference is very subtle. The encodeURL() uses the full absolute URL whenever the given (relative) URL is empty.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • I understand nothing. I need to remove session id from my redirected url which is a foreign domain url. How can I do that? because encodeRedirectURL add jsessionid end of url. and even it doesnt look like to be as a GET parameter. it has comma. – gabby Apr 16 '15 at 14:41
  • @gabby: You've basically a different question than asked here. The current question basically asks how `encode(Redirect)URL` work "under the covers". It doesn't ask how to strip off the session ID path parameter from the URL. The path parameter separator is by the way a semicolon, not a comma. – BalusC Apr 16 '15 at 16:03
0

I looked and looked for an answer I knew I would find it in either stackoverflow or coderanch and there I found the answer from Charles Lyons the author of the book in my hand right now it was a cheerful coincidence.

posted 8/9/2008 11:41 AM Exactly - the difference being that encodeURL always writes the session ID into the URL (if required e.g. because cookies are disabled), while encodeRedirectURL contains additional logic to determine if it is desirable to write the session ID in. It is a really bad idea to give foreign websites the session ID for example, since then they could impersonate your user's session. Hence encodeRedirectURL will only put the jsessionid on the URL if that URL lies within the current Web application, and not perform any rewriting otherwise.

Charles Lyons (SCJP 1.4, April 2003; SCJP 5, Dec 2006; SCWCD 1.4b, April 2004) Author of OCEJWCD Study Companion for Oracle Exam 1Z0-899 (ISBN 0955160340)

also I found this answer too which was posted earlier,

posted 4/19/2006 8:02 AM Quote Report post to moderator Hi,

The encodeURL is used to encode the url for session tracking in forward and include mechanism. The encodeRedirectURL encodes the specified URL for use in the sendRedirect method.

The main difference between two is, the implementation of encodeRedirectURL method includes the logic to determine whether the session ID needs to be encoded in the URL in the case when you are redirecting the URL to different context where the session information is not required or invalid. The encodeURL method do not appent the seesion id if the cookies are enabled. In addition to this encodeRedirectURL do not append the session information if the URL is redirected to the different context (web application). Because the rules for making this determination can differ from those used to decide whether to encode a normal link, this method is separete from the encodeURL method.

Hope this help you.

Thanks

Narendra Dhande

Ismail Marmoush
  • 13,140
  • 25
  • 80
  • 114
0

Those two methods can only produce different results when your application container uses URL parameters to communicate the session ID. Since almost everyone uses Cookies to do this these day, it's unlikely that you will see a difference in your normal testing.

To force session IDs in URLs, either deactivate storing session cookies in your browser (and hope that your application server detects that fact) or explicitly enable session IDs in URLs in your application server.

Joachim Sauer
  • 302,674
  • 57
  • 556
  • 614