shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Englert (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SHIRO-536) Session token in url
Date Sun, 13 Sep 2015 23:23:45 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14742719#comment-14742719
] 

Carsten Englert edited comment on SHIRO-536 at 9/13/15 11:22 PM:
-----------------------------------------------------------------

Any news on this?

I'm struggling to find a workaround as well, since setting a specific SessionDAO seems to
be mandatory in order to get [Shiro working in a cluster environment|http://shiro.apache.org/session-management.html#SessionManagement-SessionClustering].
Or does that not apply to WebSessions?

Giving up the more secure Cookie tracking mode in favor of the Session ID being included in
the URL is not an option.


was (Author: carstenenglert):
Any news on this?

I'm struggling to find a workaround as well, since setting a specific SessionDAO seems to
be mandatory in order to get [Shiro working in a cluster environment|http://shiro.apache.org/session-management.html#SessionManagement-SessionClustering].

Giving up the more secure Cookie tracking mode in favor of the Session ID being included in
the URL is not an option.

> Session token in url
> --------------------
>
>                 Key: SHIRO-536
>                 URL: https://issues.apache.org/jira/browse/SHIRO-536
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in), Session Management
>    Affects Versions: 1.2.3
>         Environment: Security
>            Reporter: Nagaraju Kurma
>              Labels: security
>
> Hello Team,
> As we know that this is one of the vulnerability challenges where we are supposed to
remove JSESSIONID from the url.
> I observed that there is a possibility with the plain servlet api 3.x version with the
web.xml configuration which disables the JSESSIONID from the url is
> <session-config>
>  <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> But shiro will identify and reads the above configuration if and only if shiro xml contains
session manager configuration with the class 
> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.ServletContainerSessionManager"></bean>
> But the limitations with above class are....
> 1) No session listeners configuration
> 2) No Session dao configuration
> 3) No Session validation scheduler configuration
> 4) No invalid session deletion configuration
> ...
> ...
> etc
> But removing session token from the url is possible with this.
> To achieve all the above limitations i am using the following session manager
> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"></bean>
> But with this i unable to hide session token from the url as it doesnt read web.xml configuration
and context.xml...etc
> Does anybody having any work around this or is there any other session manger which will
include both above 2 session managers functionality so that i can achieve all the above limitations
and the session token issue. 
> I am facing the issues with these insufficient configuration, Could anybody please suggest
the way forward..



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message