I appreciate the report. The cookie spec is a bit vague on this and unfortunately browsers handle the corner cases differently. Please grab the latest snapshot later today (I just checked in a fix) which should resolve this but also keep the fix for the original issue in place.
Kalle On Mon, Oct 25, 2010 at 9:17 AM, Mike K <[email protected]> wrote: > > Having grabbed the latest shiro-1.10 snapshot I started experiencing login > issues in the application. Digging in further, I have noticed the following > difference with cookies dropped at login between the earlier code drop and > the newest: > OLD: > Set-Cookie: JSESSIONID=6fd35335-6dd6-4d37-9813-71264e027bfe; Path=/service; > HttpOnly > NEW: > Set-Cookie: JSESSIONID=b11cc1ab-d812-44e5-af15-a291bdf3a6d7; Path=/service; > Max-Age=-1; HttpOnly > > > The difference is the setting of Max-Age=1, which seems like the right thing > to do according to http://www.faqs.org/rfcs/rfc2616.html. Unfortunately > this causes Firefox to delete the cookie and not forward it on subsequent > requests. IE is not affected by this change. > > This seems like a bug (even if it really is in Firefox), but perhaps the > devs here have a suggestion to mitigate this. > -- > View this message in context: > http://shiro-developer.582600.n2.nabble.com/shiro-1-10-snapshot-cookie-max-age-issues-tp5671317p5671317.html > Sent from the Shiro Developer mailing list archive at Nabble.com. >
