Perhaps we could provide a warning in the JavaDoc and explain the risk of session id leakage over HTTP GET requests when session rewriting is enabled?
The FNG (F. New Guy), -- Jim Manico VP, Security Architecture WhiteHat Security (808) 652-3805 On Mar 27, 2012, at 3:00 PM, "Gareth Collins (Commented) (JIRA)" <[email protected]> wrote: > > [ > https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239480#comment-13239480 > ] > > Gareth Collins commented on SHIRO-351: > -------------------------------------- > > Jim, > > I understand your point of view and we could go away and discuss > implementation options for multiple devices, but it is kind of irrelevant to > the problem at hand. The Servlet 2.5 spec, section SRV.7.1.4 states: > > "Web containers must be able to support the HTTP session while servicing HTTP > requests from clients that do not support the use of cookies." > > This support is already there for Shiro native sessions. It just doesn't work > correctly. > > I guess you could argue that this functionality should be removed. However, > even if you did remove it from Shiro native sessions, the user would still be > able to access this functionality if I used Tomcat/Jetty sessions instead (as > these containers are servlet 2.5 compliant)...so you would achieve little > apart from hobbling Shiro native session functionality. > >> Shiro Native Session implementation cannot extract JSESSIONID From URL if >> JSESSIONID is URL parameter (not HTTP parameter) >> -------------------------------------------------------------------------------------------------------------------------- >> >> Key: SHIRO-351 >> URL: https://issues.apache.org/jira/browse/SHIRO-351 >> Project: Shiro >> Issue Type: Bug >> Components: Web >> Affects Versions: 1.2.0 >> Environment: N/A >> Reporter: Gareth Collins >> >> The background for this issue is here: >> http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html >> In summary the issue is that Shiro supports extracting JSESSIONID from urls >> of this format: >> http://www.mycompany.com/myResource?JSESSIONID=ABCDEF >> but not of this format (this URL format is generated by HTTPServletResponse >> encodeURL method and is Servlet specification 2.5 compliant): >> http://www.mycompany.com/myResource;JSESSIONID=ABCDEF >> Shiro should be able to support both URL formats. > > -- > This message is automatically generated by JIRA. > If you think it was sent incorrectly, please contact your JIRA > administrators: > https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa > For more information on JIRA, see: http://www.atlassian.com/software/jira > >
