Hey everybody, I'm currently working on a Grails app that utilizes the Shiro plugin. I'm not really sure if the problem is in Shiro or the Grails plugin -- but after poking in the plugins' source code I think its an issue with Shiro.
The problem I'm having is that Shiro retains JSESSIONID's over logins rendering it vulnerable to session fixation attacks ( http://www.owasp.org/index.php/Session_Fixation). The app I'm working on has to meet very high security standards and this issue has been flagged. So far I have been unable to work around it. Is there a way to get Shiro to restart the session and therefor prevent session fixation attacks? Or is there another way to prevent them that I am not aware of? -- Cheers, Jakob
