shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gareth Collins (Issue Comment Edited) (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Edited] (SHIRO-351) Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)
Date Tue, 27 Mar 2012 14:02:35 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239480#comment-13239480
] 

Gareth Collins edited comment on SHIRO-351 at 3/27/12 2:01 PM:
---------------------------------------------------------------

Jim,

I understand your point of view and we could go away and discuss implementation options for
multiple devices, but it is kind of irrelevant to the problem at hand. The Servlet 2.5 spec,
section SRV.7.1.4 states:

"Web containers must be able to support the HTTP session while servicing HTTP requests from
clients that do not support the use of cookies."

This support is already there for Shiro native sessions. It just doesn't work correctly.

I guess you could argue that this functionality should be removed rather than fixed. However,
even if this functionality was removed from Shiro native sessions, the Shiro user would still
be able to access this functionality by using Tomcat/Jetty sessions instead (as these containers
are servlet 2.5 compliant)...so little would be achieved apart from hobbling Shiro native
session functionality.
                
      was (Author: gcollins):
    Jim,

I understand your point of view and we could go away and discuss implementation options for
multiple devices, but it is kind of irrelevant to the problem at hand. The Servlet 2.5 spec,
section SRV.7.1.4 states:

"Web containers must be able to support the HTTP session while servicing HTTP requests from
clients that do not support the use of cookies."

This support is already there for Shiro native sessions. It just doesn't work correctly.

I guess you could argue that this functionality should be removed. However, even if you did
remove it from Shiro native sessions, the user would still be able to access this functionality
if I used Tomcat/Jetty sessions instead (as these containers are servlet 2.5 compliant)...so
you would achieve little apart from hobbling Shiro native session functionality.
                  
> Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID
is URL parameter (not HTTP parameter)
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-351
>                 URL: https://issues.apache.org/jira/browse/SHIRO-351
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.2.0
>         Environment: N/A
>            Reporter: Gareth Collins
>
> The background for this issue is here:
> http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
> In summary the issue is that Shiro supports extracting JSESSIONID from urls of this format:
> http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
> but not of this format (this URL format is generated by HTTPServletResponse encodeURL
method and is Servlet specification 2.5 compliant):
> http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
> Shiro should be able to support both URL formats.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message