Hello, I've spent some time debugging a problem where ";JSESSIONID=<session id>" kept appearing on any Shiro redirect where the browser didn't already have a session cookie. At first I thought Tomcat was doing this, because my session cookie name is "JSESSIONID2". However, I tracked it down to the code in ShiroHttpServletResponse.encodeRedirectURL(String). Then I discovered that there were open tickets about the appending:
https://issues.apache.org/jira/browse/SHIRO-360 https://issues.apache.org/jira/browse/SHIRO-361 I noticed ShiroHttpServletResponse.toEncoded(String, String) always uses the DEFAULT_SESSION_ID_PARAMETER_NAME, which is JSESSIONID. Should that instead be using the Session Cookie name for consistency? Or should it be configurable as part of SHIRO-360? I certainly was expecting it to match, so it took me a long time to realize the value was being appending by Shiro and not Tomcat. Sincerely, Stephen McCants ---------- Stephen McCants Senior Software Engineer Healthcare Control Systems, Inc.
