shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <jim.man...@owasp.org>
Subject Re: [jira] [Commented] (SHIRO-351) Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)
Date Tue, 27 Mar 2012 14:59:13 GMT
Perhaps we could provide a warning in the JavaDoc and explain the risk
of session id leakage over HTTP GET requests when session rewriting is
enabled?

The FNG (F. New Guy),

--
Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

On Mar 27, 2012, at 3:00 PM, "Gareth Collins (Commented) (JIRA)"
<jira@apache.org> wrote:

>
>    [ https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239480#comment-13239480
]
>
> Gareth Collins commented on SHIRO-351:
> --------------------------------------
>
> Jim,
>
> I understand your point of view and we could go away and discuss implementation options
for multiple devices, but it is kind of irrelevant to the problem at hand. The Servlet 2.5
spec, section SRV.7.1.4 states:
>
> "Web containers must be able to support the HTTP session while servicing HTTP requests
from clients that do not support the use of cookies."
>
> This support is already there for Shiro native sessions. It just doesn't work correctly.
>
> I guess you could argue that this functionality should be removed. However, even if you
did remove it from Shiro native sessions, the user would still be able to access this functionality
if I used Tomcat/Jetty sessions instead (as these containers are servlet 2.5 compliant)...so
you would achieve little apart from hobbling Shiro native session functionality.
>
>> Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID
is URL parameter (not HTTP parameter)
>> --------------------------------------------------------------------------------------------------------------------------
>>
>>                Key: SHIRO-351
>>                URL: https://issues.apache.org/jira/browse/SHIRO-351
>>            Project: Shiro
>>         Issue Type: Bug
>>         Components: Web
>>   Affects Versions: 1.2.0
>>        Environment: N/A
>>           Reporter: Gareth Collins
>>
>> The background for this issue is here:
>> http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
>> In summary the issue is that Shiro supports extracting JSESSIONID from urls of this
format:
>> http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
>> but not of this format (this URL format is generated by HTTPServletResponse encodeURL
method and is Servlet specification 2.5 compliant):
>> http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
>> Shiro should be able to support both URL formats.
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>

Mime
View raw message