Cookie support refactoring - Simplify cookie configuration, support HttpOnly
cookies and default session cookies to be HttpOnly = true
--------------------------------------------------------------------------------------------------------------------------------------
Key: SHIRO-139
URL: https://issues.apache.org/jira/browse/SHIRO-139
Project: Shiro
Issue Type: Improvement
Components: Web
Affects Versions: 1.0.0
Reporter: Les Hazlewood
Fix For: 1.0.0
It would also be prudent to refactor the cookie support in Shiro to
1) remove the overly verbose and complex RequestAttribute /
CookieRequestAttribute concepts. This existed as a way to shield Shiro from
implementation details on how to persist and retrieve data across requests.
It'd be better to allow end-users to just configure a Cookie pojo instance that
is set on cookie-capable components which in turn use a mechanism to set/remove
the cookie
2) support the notion of HttpOnly cookies, which the servlet 2.4/2.5 does not
support, but we could support with our own Cookie pojo used in configuration
(see #1) which we set on the response header directly ( response.setHeader
instead of response.addCookie)
3) After adding #2, default Shiro's session cookie to be HttpOnly = true for
added security to reduce XSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
