Make sessionId cookie optional
------------------------------
Key: SHIRO-83
URL: https://issues.apache.org/jira/browse/SHIRO-83
Project: Shiro
Issue Type: Improvement
Components: Web
Affects Versions: 1.0
Reporter: Les Hazlewood
Fix For: 1.0
In rich-client applications (Ajax, Flex, etc), it is more secure to have the
rich-client framework explicitly send the session ID back to the server with
every request in its native/encrypted format, rather than via cookies, which
are more susceptible to man-in-the-middle attacks. GWT works this way as well.
Make it a configuration possibility to disable cookies entirely, supporting
this rich-client-over-http scenario.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
