[
https://issues.apache.org/jira/browse/SHIRO-795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220122#comment-17220122
]
Brian Demers commented on SHIRO-795:
------------------------------------
IMHO, the "to be even more secure" part is not correct, rewriting is about
compatibility (not improving security)
There are a few things at play here.
1.) as described in that link, putting session info in a URL exposes the id,
server logs, javascript on page, etc
2.) Session rewriting is defined in section 7.1.3 Servlet Spec,
[https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf]
(and thus Shiro does need to support it).
3.) The last release of Shiro added functionality to block common URL escape
attacks, (semicolons were included in that list). However, we did not update
the rewrite feature's default settings. This left the potential for a user
whoe triggered URL rewriting, to also be blocked on their next request. (This
change resolves that issue)
Does that answer your question?
> Disable session path rewriting by default
> -----------------------------------------
>
> Key: SHIRO-795
> URL: https://issues.apache.org/jira/browse/SHIRO-795
> Project: Shiro
> Issue Type: Improvement
> Reporter: Brian Demers
> Priority: Major
> Fix For: 2.0.0, 1.7.0
>
>
> After the addition of the "Invalid Request Filter", URL session rewriting is
> disabled.
> {code:java}
> # Enable the configuraiton in the session manager
> sessionManager.sessionIdUrlRewritingEnabled = true
> # and the invalid request filter
> invalidRequest.blockSemicolon = false{code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
