[
https://issues.apache.org/jira/browse/SHIRO-795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220117#comment-17220117
]
Mahendran Mookkiah commented on SHIRO-795:
------------------------------------------
Thanks [~bdemers].
I am trying to understand the "Why?" part of this implementation.
If it is a security concern, I see [https://www.zaproxy.org/docs/alerts/3/]
says "To be even more secure consider using a combination of cookie and URL
rewrite". If this statement from OWASP community is true, I am curious what
triggers to make this change?
> Disable session path rewriting by default
> -----------------------------------------
>
> Key: SHIRO-795
> URL: https://issues.apache.org/jira/browse/SHIRO-795
> Project: Shiro
> Issue Type: Improvement
> Reporter: Brian Demers
> Priority: Major
> Fix For: 2.0.0, 1.7.0
>
>
> After the addition of the "Invalid Request Filter", URL session rewriting is
> disabled.
> {code:java}
> # Enable the configuraiton in the session manager
> sessionManager.sessionIdUrlRewritingEnabled = true
> # and the invalid request filter
> invalidRequest.blockSemicolon = false{code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
