Hi, and thanks for your reply!
Two things that could/should IMHO be improved: 1) Document the COOKIE only session tracking mode. It took me several hours to find out via debugging, what was the reason for not accepting my session-ID via URL. I couldn't find any documentation about this change/feature in Shiro documentation. 2) My issue was with a legacy application, which uses URL session tracking internally (all on the same physical machine, so SID in URL shouldn't be a security problem here). I would be happy to have this feature configurable via context-parameter. A change would probably be quite simple. My current workaround is to have a custom ServletContextListener which reverts the configuration done by shiro. This is a bit of a hack, especially because I have to take order of listeners into account, which forced me for manual listener configuration via web.xml. I have created issue https://github.com/apache/shiro/issues/2273 for missing documentation. If there is a chance it would be accepted, I would also create an issue for making SessionTrackingMode configurable. What do you think? Thanks again, - martin Am 01. Okt. 2025 schrieb [email protected]: > Hi, > > I am glad to hear about your positive upgrade experience and success with the > EE and CDI integration. > > Yes, you are correct. EE integration module forces COOKIE only. This was done > to comply with > best security practices and avoid CVEs in the future. > > Is there a particular issue that you are facing with this? > If yes, please create a GitHub issue. This was the one thing that is not put > behind a separate configuration parameter. > Let us know if you have any other questions of issues. > > > On Sep 30, 2025, at 8:13 AM, Martin Höller <[email protected]> wrote: > > > > Hi! > > > > I recently upgraded from Shiro 1.13 to 2.0.5. Basically all went fine and > > my existing web-application is working as expected. Many thanks for your > > hard work, especially for the EE- and CDI-integration! > > > > However, I found out, that when I added shiro-jakarta-ee as a dependency, > > the session-tracking-modes from my web-application changed from {COOKIE, > > URL} to {COOKIE} only. > > > > After some investigation I found that > > org.apache.shiro.ee.listeners.EnvironmentLoaderListener explicitly sets > > this at the end of the contextInitialized() method: > > https://github.com/apache/shiro/blob/bfda5a280922fe536fd218206297be4da8c80621/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java#L83 > > > > I'm wondering is this by intention? What's the reason behind this? > > > > (Yes, I know session-tracking via URL is not recommended, but that's not > > the point here. One can configure it via web.xml but shiro overwrites > > this configuration.) > > > > Best regards, > > - martin
pgpa54iiXEz8K.pgp
Description: Digitale Signatur von OpenPGP
