Hello Rui Tang, I am using servlet 3.0 only and my web.xml as follows.
<web-app xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; *version="3.0"*> Sorry i am not clear to implement this configuration my application as i am not running any jetty configuration at all. Could you please elaborate the explanation towards configuration files to hide the JSESSIONID in my simple spring & shiro based web application. On Fri, Jul 10, 2015 at 12:58 PM, Rui Tang <[email protected]> wrote: > <session-config> is available for servlet 3.0. If you use web containers > that support lower version, you have to config it via container's config. > > E.g. for jetty, > http://www.eclipse.org/jetty/documentation/current/session-management.html > > On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma < > [email protected]> wrote: > >> Hello Team, >> >> Thanks for your valuable time spending. >> >> *1) Session Fixation* >> >> Implemented the same as the above link describes, Its working fine but it >> is like out side of the framework and not developer friendly. As this is a >> high security concern some where we need to have a configuration as part of >> shiro only. >> >> *2) Session Token in url* >> >> I am having one more question that on first request after session got >> started *JSESSIONID *is appending in the url as follows >> >> >> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad >> >> This is also one of the security concern, How to resolve it? Anybody >> having any work around about this? >> >> I am working with spring & shiro so i tried with the following >> configuration but got failed. >> >> <session-config> >> <tracking-mode>COOKIE</tracking-mode> >> </session-config> >> >> >> >> >> >> >> >> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <[email protected]> wrote: >> >>> Here's an issue about this problem. >>> >>> https://issues.apache.org/jira/browse/SHIRO-170 >>> >>> Even though it hasn't been fixed, but in comment, there's some >>> workaround. >>> >>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma < >>> [email protected]> wrote: >>> >>>> Hi Team, >>>> >>>> Is there any workaround on this? >>>> >>>> -- >>>> >>>> Thanks & Regards >>>> >>>> Nagaraju Kurma >>>> >>> >>> >>> >>> -- >>> 唐睿 >>> >> >> >> >> -- >> >> Thanks & Regards >> >> Nagaraju Kurma >> > > > > -- > 唐睿 > -- Thanks & Regards Nagaraju Kurma
