[jira] [Resolved] (SHIRO-536) Session token in url

Wed, 13 Jul 2016 13:58:55 -0700 

     [ 
https://issues.apache.org/jira/browse/SHIRO-536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brian Demers resolved SHIRO-536.
--------------------------------
    Resolution: Duplicate

> Session token in url
> --------------------
>
>                 Key: SHIRO-536
>                 URL: https://issues.apache.org/jira/browse/SHIRO-536
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in), Session Management
>    Affects Versions: 1.2.3
>         Environment: Security
>            Reporter: Nagaraju Kurma
>              Labels: security
>
> Hello Team,
> As we know that this is one of the vulnerability challenges where we are 
> supposed to remove JSESSIONID from the url.
> I observed that there is a possibility with the plain servlet api 3.x version 
> with the web.xml configuration which disables the JSESSIONID from the url is
> <session-config>
>  <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> But shiro will identify and reads the above configuration if and only if 
> shiro xml contains session manager configuration with the class 
> <bean id="sessionManager" 
> class="org.apache.shiro.web.session.mgt.ServletContainerSessionManager"></bean>
> But the limitations with above class are....
> 1) No session listeners configuration
> 2) No Session dao configuration
> 3) No Session validation scheduler configuration
> 4) No invalid session deletion configuration
> ...
> ...
> etc
> But removing session token from the url is possible with this.
> To achieve all the above limitations i am using the following session manager
> <bean id="sessionManager" 
> class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"></bean>
> But with this i unable to hide session token from the url as it doesnt read 
> web.xml configuration and context.xml...etc
> Does anybody having any work around this or is there any other session manger 
> which will include both above 2 session managers functionality so that i can 
> achieve all the above limitations and the session token issue. 
> I am facing the issues with these insufficient configuration, Could anybody 
> please suggest the way forward..



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to