Deprecated feature

Using URL rewriting for session management

Deprecated: Using URL rewriting for session management was deprecated in HCL Commerce Version 9.

Recommended action: Use cookie-based session management.

Browsers and e-commerce sites use HTTP to communicate. HTTP is a stateless protocol, which means that each command is run independently without any knowledge of the commands that came before it. Because it is a stateless protocol, sessions must be managed between the browser side and the server side.

With URL rewriting, all links that are returned to the browser or that get redirected have the session ID appended to them. When the user clicks these links, the rewritten form of the URL is sent to the server as part of the client request. The servlet engine recognizes the session ID in the URL and saves it for obtaining the proper object for this user.

Important: HCL Commerce dynamic caching and URL rewriting cannot be used together. If URL rewriting is enabled, then you must disable HCL Commerce dynamic caching.

To use URL rewriting, HTML files (files with .html or .htm extensions) cannot be used for links. To use URL rewriting, JSP pages must be used for display purposes. A session with URL rewriting expires when the customer logs off.

Because URLs returned to the browser contain session IDs, another user with access to the browser history (for example, on a shared computer) might gain access to sensitive information exchanged during a session - if the session is left active. To prevent such unauthorized access, site developers can add a notice to their site to tell customers to always log off at the end of their visit so that their session ends, particularly on a shared computer.