JSESSIONID is hard-coded in WAF files

[GoogleCodeExporter]

What steps will reproduce the problem?
Hard-coded references to JSESSIONID (instead of configurable session id name) 
are here: 
src/java/org.owasp.esapi.waf.configuration.ConfigurationParser:65
test/resources/.esapi/waf-policy.xml:34 

What is the expected output? What do you see instead?
expect configurable session id name based on HttpUtilities.HttpSessionIdName in 
ESAPI.properties file ... instead JSESSIONID is hard-coded

Original issue reported on code.google.com by jtmel...@gmail.com on 5 Nov 2010 at 3:29

[GoogleCodeExporter]

Set to milestone release 2.0

Original comment by jtmel...@gmail.com on 5 Nov 2010 at 3:30

• Added labels: Milestone-Release2.0

[GoogleCodeExporter]

Original comment by manico.james@gmail.com on 5 Nov 2010 at 3:35

• Added labels: waf

[GoogleCodeExporter]

Original comment by manico.james@gmail.com on 5 Nov 2010 at 3:35

• Added labels: WAF
• Removed labels: waf

[GoogleCodeExporter]

Fixed this with SVN revision 1729 in 
org.owasp.esapi.waf.configuration.ConfigurationParser by setting it to value 
returned by ESAPI.securityConfiguration().getHttpSessionIdName(). [Note: I left 
this as a 'private static final', initialized in a static initializer with 
appropriate try / catch block. This means if ESAPI.properties changes 
HttpUtilities.HttpSessionIdName and is reparsed, the same value will still be 
used. If this is not acceptable behavior, then re-open this issue or create a 
new one. Also, because the code was so simple, I did not write any new JUnit 
tests to test it.]

Finally, I am not sure what is expected to be done for 
'test/resources/esapi/waf-policy.xml' as it seems to require a hard-coded value.

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 8:29

• Changed state: Fixed
• Added labels: Component-WAF
• Removed labels: WAF