shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Terence Kent (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SHIRO-487) Session path parameter must be "JSESSIONID", not "jsessionid"
Date Wed, 05 Mar 2014 15:35:50 GMT

     [ https://issues.apache.org/jira/browse/SHIRO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Terence Kent updated SHIRO-487:
-------------------------------

    Summary: Session path parameter must be "JSESSIONID", not "jsessionid"  (was: JSESSIONID
is not configurable as path parameter, only as a query parameter)

> Session path parameter must be "JSESSIONID", not "jsessionid"
> -------------------------------------------------------------
>
>                 Key: SHIRO-487
>                 URL: https://issues.apache.org/jira/browse/SHIRO-487
>             Project: Shiro
>          Issue Type: Bug
>          Components: Session Management, Web
>    Affects Versions: 1.2.2
>            Reporter: Terence Kent
>            Priority: Minor
>              Labels: easyfix
>
> The DefaultWebSessionManager only looks for the session id in a path parameter with the
name of "JSESSIONID" (all uppercase, not lowercase), and this cannot be configured. This should
either be configurable, or just "jsessionid" (all lower case).
> The 3.0 servlet spec, section 7.1.3 states: "The session ID must be encoded as a path
parameter in the URL string. The name of the parameter must be jsessionid." Other servlet
containers (tomcat, jetty, etc) use "jsessionid" as the path parameter for session ids.
> Since path parameters really shouldn't be used, the query parameter *is* configurable,
and changing our existing client code isn't that big of a deal, I'm marking this as a minor
issue. Just thought I would record it.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message