[
https://issues.apache.org/jira/browse/SHIRO-83?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12833587#action_12833587
]
Kalle Korhonen commented on SHIRO-83:
-------------------------------------
Oh yes, of course, should have seen that.
> Make sessionId cookie optional
> ------------------------------
>
> Key: SHIRO-83
> URL: https://issues.apache.org/jira/browse/SHIRO-83
> Project: Shiro
> Issue Type: Improvement
> Components: Web
> Affects Versions: 1.0.0
> Reporter: Les Hazlewood
> Fix For: 1.0.0
>
>
> In rich-client applications (Ajax, Flex, etc), it is more secure to have the
> rich-client framework explicitly send the session ID back to the server with
> every request in its native/encrypted format, rather than via cookies, which
> are more susceptible to man-in-the-middle attacks. GWT works this way as
> well.
> Make it a configuration possibility to disable cookies entirely, supporting
> this rich-client-over-http scenario.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
