shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Les Hazlewood (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (SHIRO-83) Make sessionId cookie optional
Date Mon, 10 May 2010 00:27:48 GMT

     [ https://issues.apache.org/jira/browse/SHIRO-83?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Les Hazlewood resolved SHIRO-83.
--------------------------------

    Resolution: Fixed

The cookie is enabled by default, but can now be turned off by setting the DefaultWebSessionManager.sessionIdCookieEnabled
attribute to false.  Commit was accompanied by a DefaultWebSessionManagerTest case to verify
functionality.

> Make sessionId cookie optional
> ------------------------------
>
>                 Key: SHIRO-83
>                 URL: https://issues.apache.org/jira/browse/SHIRO-83
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Web
>    Affects Versions: 1.0.0
>            Reporter: Les Hazlewood
>             Fix For: 1.0.0
>
>
> In rich-client applications (Ajax, Flex, etc), it is more secure to have the rich-client
framework explicitly send the session ID back to the server with every request in its native/encrypted
format, rather than via cookies, which are more susceptible to man-in-the-middle attacks.
 GWT works this way as well.
> Make it a configuration possibility to disable cookies entirely, supporting this rich-client-over-http
scenario.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message