[jira] [Commented] (SHIRO-351) Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)

Gareth Collins (Commented) (JIRA) Tue, 27 Mar 2012 07:00:55 -0700

    [ 
https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239480#comment-13239480
 ]


Gareth Collins commented on SHIRO-351:
--------------------------------------

Jim,

I understand your point of view and we could go away and discuss implementation 
options for multiple devices, but it is kind of irrelevant to the problem at 
hand. The Servlet 2.5 spec, section SRV.7.1.4 states:

"Web containers must be able to support the HTTP session while servicing HTTP 
requests from clients that do not support the use of cookies."

This support is already there for Shiro native sessions. It just doesn't work 
correctly.

I guess you could argue that this functionality should be removed. However, 
even if you did remove it from Shiro native sessions, the user would still be 
able to access this functionality if I used Tomcat/Jetty sessions instead (as 
these containers are servlet 2.5 compliant)...so you would achieve little apart 
from hobbling Shiro native session functionality.
                
> Shiro Native Session implementation cannot extract JSESSIONID From URL if 
> JSESSIONID is URL parameter (not HTTP parameter)
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-351
>                 URL: https://issues.apache.org/jira/browse/SHIRO-351
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.2.0
>         Environment: N/A
>            Reporter: Gareth Collins
>
> The background for this issue is here:
> http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
> In summary the issue is that Shiro supports extracting JSESSIONID from urls 
> of this format:
> http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
> but not of this format (this URL format is generated by HTTPServletResponse 
> encodeURL method and is Servlet specification 2.5 compliant):
> http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
> Shiro should be able to support both URL formats.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-351) Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)

Reply via email to