Thanks for the hint. I didn't found it via google. But I still think it would be good if shiro address this issue by providing a filter. However I'm unsure if it's a good idea to disable url-encoding :-/ but it's a workaround.
The reason, why I think it's shiro issue, is the following: - My app without security never has a session-id in the url. - My app with spring security never has a session-idin the url. - My app with shiro has the session-id in the url. I hope you can see the point. And I'm still not understand why the behavior change. Regards Niels -- View this message in context: http://shiro-user.582556.n2.nabble.com/JSESSIONID-in-URL-tp7580232p7580235.html Sent from the Shiro User mailing list archive at Nabble.com.
