Agreed on needing to support session re-writing. Would love to see a security log event, JavaDoc or both warning against this practice. :)
Aloha folks, Jim > [ > https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271797#comment-13271797 > ] > > Les Hazlewood commented on SHIRO-360: > ------------------------------------- > > Hi Jim, > > I totally agree - this is why I'd like it to be a customizable component > where these things can be easily turned on/off instead of embedded in the > ShiroHttpServletResponse implementation like it is today. > > However, because Shiro must adhere to the Servlet Specification, we have to > support JSESSIONID appending - but we can still strongly recommend to people > that they turn it off (or even likely turn it off by default). XSS defense > was also on my mind when I thought about this too - hopefully we can kill a > few birds with one stone here. > > Thanks for the feedback!!! > > Les > >> Create UrlEncoder >> ----------------- >> >> Key: SHIRO-360 >> URL: https://issues.apache.org/jira/browse/SHIRO-360 >> Project: Shiro >> Issue Type: New Feature >> Components: Web >> Reporter: Les Hazlewood >> Fix For: 1.3.0 >> >> >> To customize how URL encoding in a web app occurs, we should have a >> UrlEncoder component. More specifically, this can be used to customize how >> JSESSIONID is appended to a URL (if at all, depending on security >> preferences). >> The solution could be resolved as follows: >> Create a new UrlEncoder interface: >> public interface UrlEncoder { >> String encodeUrl(EncodeUrlRequest request); >> } >> The EncodeUrlRequest: >> public interface EncodeUrlRequest { >> String getUrl(); >> HttpServletRequest getHttpServletRequest(); >> HttpServletResponse getHttpServletResponse(); >> ServletContext getServletContext(); >> } >> Update WebEnvironment to have a new property: >> UrlEncoder getUrlEncoder(); > -- > This message is automatically generated by JIRA. > If you think it was sent incorrectly, please contact your JIRA > administrators: > https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa > For more information on JIRA, see: http://www.atlassian.com/software/jira > > -- Jim Manico Connections Committee Chair Cheatsheet Series Product Manager OWASP Podcast Producer/Host [email protected] www.owasp.org
