If you are using Servlet session management (not Shiro native)
this shouldn't be a problem:
Try pugging this into your web.xml:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Excerpt from Shiro documentation:
HttpServletResponse implementation to support URL Encoding of Shiro Session IDs.
It is only used when using Shiro's native Session Management configuration (and
not when using the Servlet Container session configuration, which is Shiro's
default in a web environment). Because the servlet container already performs
url encoding of its own session ids, instances of this class are only needed
when using Shiro native sessions.
Note that this implementation relies in part on source code from the Tomcat 6.x
distribution for encoding URLs for session ID URL Rewriting (we didn't want to
re-invent the wheel). Since Shiro is also Apache 2.0 license, all regular
licenses and conditions have remained in tact.
Since:
0.2
On Apr 15, 2014, at 5:30 PM, Dominic Farr wrote:
> adding the session id to the url is a fall back because the server isn't sure
> the browser allows cookies at the time of session creation. and although ; is
> a valid separator in the http spec, it does break spring urls.
>
> do you front your shiro app with a web server like apache or nginx? if you
> do, you can add a rewrite rule that removed jsessionid.
> eg.
>
> ReWriteRule ^(.*);JSESSIONID=.*$ $1 [L,R=301]
>
> this rule isn't production ready, so please examine it before use.
>
>
>
>
>
>
> On 15 April 2014 20:59, Anton <[email protected]> wrote:
> Good day, everybody.
>
> ShiroHttpServletResponse has overridden encodeURL(String url) method, which
> add JSESSIONID parameter to the urls.
> So all links in a HTML page inserted using Spring macros (spring.ulr etc)
> become invalid.
>
> This happens on the first request, then cookie with session id is not set
> yet.
>
> Aforementioned method encodeURL use isEncodeable, which looks like:
>
> protected boolean isEncodeable(final String location) {
>
> if (location == null)
> return (false);
>
> // Is this an intra-document reference?
> if (location.startsWith("#"))
> return (false);
>
> // Are we in a valid session that is not using cookies?
> final HttpServletRequest hreq = request;
> final HttpSession session = hreq.getSession(false);
> 1) if (session == null)
> return (false);
> 2) if (hreq.isRequestedSessionIdFromCookie())
> return (false);
>
> return doIsEncodeable(hreq, session, location);
> }
>
> 1) A session has been already created, so session != null
> 2) but it's a brand new session, so hreq.isRequestedSessionIdFromCookie() ==
> false
> As result we have, that url will be encoded though cookie are used.
>
> Is it a bug, or I misunderstood something??
> Please help :)
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Problem-with-JSESSIONID-tp7579874.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
