Hi, I am glad to hear about your positive upgrade experience and success with the EE and CDI integration.
Yes, you are correct. EE integration module forces COOKIE only. This was done to comply with best security practices and avoid CVEs in the future. Is there a particular issue that you are facing with this? If yes, please create a GitHub issue. This was the one thing that is not put behind a separate configuration parameter. Let us know if you have any other questions of issues. > On Sep 30, 2025, at 8:13 AM, Martin Höller <[email protected]> wrote: > > Hi! > > I recently upgraded from Shiro 1.13 to 2.0.5. Basically all went fine and > my existing web-application is working as expected. Many thanks for your > hard work, especially for the EE- and CDI-integration! > > However, I found out, that when I added shiro-jakarta-ee as a dependency, > the session-tracking-modes from my web-application changed from {COOKIE, > URL} to {COOKIE} only. > > After some investigation I found that > org.apache.shiro.ee.listeners.EnvironmentLoaderListener explicitly sets > this at the end of the contextInitialized() method: > https://github.com/apache/shiro/blob/bfda5a280922fe536fd218206297be4da8c80621/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java#L83 > > I'm wondering is this by intention? What's the reason behind this? > > (Yes, I know session-tracking via URL is not recommended, but that's not > the point here. One can configure it via web.xml but shiro overwrites > this configuration.) > > Best regards, > - martin
