Re: [jira] [Commented] (SHIRO-351) Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)

Mon, 26 Mar 2012 13:27:04 -0700

Which mobile device does not support cookies or HTTP Request headers? It may not be convenient, but I stand by keeping session information - or any sensitive data - out of a HTTP GET request, even over HTTPS. Especially for a security library or security community as sharp as Shiro! :) 

- Jim

     [ 
https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13238719#comment-13238719
 ]

Gareth Collins commented on SHIRO-351:
--------------------------------------

Cookies are definitely better though sometimes you need to support this because 
certain mobile devices/client APIs do not support cookies.
For my implementation, this will be all over SSL and is not planned for use 
with a vanilla browser.




Shiro Native Session implementation cannot extract JSESSIONID From URL if 
JSESSIONID is URL parameter (not HTTP parameter)
--------------------------------------------------------------------------------------------------------------------------

                 Key: SHIRO-351
                 URL: https://issues.apache.org/jira/browse/SHIRO-351
             Project: Shiro
          Issue Type: Bug
          Components: Web
    Affects Versions: 1.2.0
         Environment: N/A
            Reporter: Gareth Collins

The background for this issue is here:
http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
In summary the issue is that Shiro supports extracting JSESSIONID from urls of 
this format:
http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
but not of this format (this URL format is generated by HTTPServletResponse 
encodeURL method and is Servlet specification 2.5 compliant):
http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
Shiro should be able to support both URL formats.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira





--
Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

[email protected]
www.owasp.org

Reply via email to