Yes, your thoughts about this are correct. Thank you
> On Oct 2, 2025, at 2:05 AM, Martin Höller <[email protected]> wrote:
>
> Hi,
>
> and thanks for your reply!
>
> Two things that could/should IMHO be improved:
>
> 1) Document the COOKIE only session tracking mode. It took me several
> hours to find out via debugging, what was the reason for not accepting
> my session-ID via URL. I couldn't find any documentation about this
> change/feature in Shiro documentation.
>
> 2) My issue was with a legacy application, which uses URL session
> tracking internally (all on the same physical machine, so SID in URL
> shouldn't be a security problem here). I would be happy to have this
> feature configurable via context-parameter. A change would probably be
> quite simple.
>
> My current workaround is to have a custom ServletContextListener which
> reverts the configuration done by shiro. This is a bit of a hack,
> especially because I have to take order of listeners into account,
> which forced me for manual listener configuration via web.xml.
>
> I have created issue https://github.com/apache/shiro/issues/2273 for
> missing documentation.
>
> If there is a chance it would be accepted, I would also create an issue
> for making SessionTrackingMode configurable. What do you think?
>
> Thanks again,
> - martin
>
>
> Am 01. Okt. 2025 schrieb [email protected]:
>
>> Hi,
>>
>> I am glad to hear about your positive upgrade experience and success with
>> the EE and CDI integration.
>>
>> Yes, you are correct. EE integration module forces COOKIE only. This was
>> done to comply with
>> best security practices and avoid CVEs in the future.
>>
>> Is there a particular issue that you are facing with this?
>> If yes, please create a GitHub issue. This was the one thing that is not put
>> behind a separate configuration parameter.
>> Let us know if you have any other questions of issues.
>>
>>> On Sep 30, 2025, at 8:13 AM, Martin Höller <[email protected]> wrote:
>>>
>>> Hi!
>>>
>>> I recently upgraded from Shiro 1.13 to 2.0.5. Basically all went fine and
>>> my existing web-application is working as expected. Many thanks for your
>>> hard work, especially for the EE- and CDI-integration!
>>>
>>> However, I found out, that when I added shiro-jakarta-ee as a dependency,
>>> the session-tracking-modes from my web-application changed from {COOKIE,
>>> URL} to {COOKIE} only.
>>>
>>> After some investigation I found that
>>> org.apache.shiro.ee.listeners.EnvironmentLoaderListener explicitly sets
>>> this at the end of the contextInitialized() method:
>>> https://github.com/apache/shiro/blob/bfda5a280922fe536fd218206297be4da8c80621/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java#L83
>>>
>>> I'm wondering is this by intention? What's the reason behind this?
>>>
>>> (Yes, I know session-tracking via URL is not recommended, but that's not
>>> the point here. One can configure it via web.xml but shiro overwrites
>>> this configuration.)
>>>
>>> Best regards,
>>> - martin
