[
https://issues.apache.org/jira/browse/SHIRO-83?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12833497#action_12833497
]
Kalle Korhonen commented on SHIRO-83:
-------------------------------------
This is a container feature - for example in Tomcat you can specify
cookies=false in the context.xml (see
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html). Spec says url
rewriting is a fallback if client doesn't allow cookies but I'm not sure we
should deliberately go deleting a cookie set by the container. I'd close as
"won't fix" unless somebody provides better justification.
> Make sessionId cookie optional
> ------------------------------
>
> Key: SHIRO-83
> URL: https://issues.apache.org/jira/browse/SHIRO-83
> Project: Shiro
> Issue Type: Improvement
> Components: Web
> Affects Versions: 1.0.0
> Reporter: Les Hazlewood
> Fix For: 1.0.0
>
>
> In rich-client applications (Ajax, Flex, etc), it is more secure to have the
> rich-client framework explicitly send the session ID back to the server with
> every request in its native/encrypted format, rather than via cookies, which
> are more susceptible to man-in-the-middle attacks. GWT works this way as
> well.
> Make it a configuration possibility to disable cookies entirely, supporting
> this rich-client-over-http scenario.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
