Hi I’m developing an application where I need to mitigate the risk of a session fixation attack by generating a new session immediately after login and I found a request in JIRA with the reference number SHIRO-170 which does exactly what I’m looking for.
The issue is I’m unable to implement the solution outlined in the last entry of SHIRO-170 by Luke Biddell as I’m using the PassThruAuthenticationFilter which doesn’t have an executeLogin method. I’ve tried implementing the code Les Hazelwood suggested in the login method of a custom security manager and it works fine if the authentication attempt was successful, however an UnknownSessionException is thrown if the attempt failed. I’ve also tried catching the exception but it seems to have been caught further downstream by one of the methods executed in authenticate method. Could anyone give me some pointers as to where in the Shrio code would be the best place to implement this feature please? If I can get it working then I’d be happy to submit a patch so other people can benefit as well. Many Thanks Paul -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-I-implement-SHIRO-170-to-mitigate-a-session-fixation-attack-tp7579654.html Sent from the Shiro User mailing list archive at Nabble.com.
