[
https://issues.apache.org/jira/browse/SHIRO-83?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12833583#action_12833583
]
Les Hazlewood commented on SHIRO-83:
------------------------------------
This issue was created based on using Shiro in native session mode, not when
using servlet container sessions. Currently native session mode always sets a
session cookie in all cases and an end user should be able to turn that off if
desired. URL Rewriting is already working though, so we're good to go there.
> Make sessionId cookie optional
> ------------------------------
>
> Key: SHIRO-83
> URL: https://issues.apache.org/jira/browse/SHIRO-83
> Project: Shiro
> Issue Type: Improvement
> Components: Web
> Affects Versions: 1.0.0
> Reporter: Les Hazlewood
> Fix For: 1.0.0
>
>
> In rich-client applications (Ajax, Flex, etc), it is more secure to have the
> rich-client framework explicitly send the session ID back to the server with
> every request in its native/encrypted format, rather than via cookies, which
> are more susceptible to man-in-the-middle attacks. GWT works this way as
> well.
> Make it a configuration possibility to disable cookies entirely, supporting
> this rich-client-over-http scenario.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
