Hello all, I'm trying to integrate CSRFGuard ( https://github.com/aramrami/OWASP-CSRFGuard) with my Shiro-secured webapp. The way CSRFGuard is integrated in a webapp is using a servlet listener (to initialize) and a servlet filter (to compare the CSRF token stored in session with the CSRF sent with the request). Oh wait, it also requires an HttpSessionListener ( https://github.com/aramrami/OWASP-CSRFGuard/blob/master/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java), so that it stores the token in the newly created HttpSession. Now, when shiro creates its own HttpSession (ShiroHttpSession), my CsrfGuardHttpSessionListener, properly configured as a listener, won't receive any events. Even worse, it only receives events when jetty creates its sessions (obviously those sessions aren't related to shiro and are of no use for me) Some guy already posted a question very similar to mine on SO : http://stackoverflow.com/questions/21182660/shiro-httpsession-in-sessionlistenerbut he didn't receive any meaningful answers... What do you think Shiro users/devs ? Why does not shiro trigger SessionEvents ? Thanks for your answers ! Anthony
