shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shableh <>
Subject JSESSION id being put in the URL
Date Thu, 21 Aug 2014 13:43:37 GMT
Hey all,

I know there have been a few topics on this but none of them have seemed to
come up with a 'real' solution that works for me. Essentially I've been
noticing that the JSESSION id is getting put in the URL on failed login
attempts, or when the session has expired and they are kicked out back to
the login screen. I'd very much like to not have that JSESSION id getting
put in the URL and I'm not sure what else I need to configure.

Here is my shiro.ini
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 30000
securityManager.sessionManager.sessionDAO = $sessionStore
securityManager.sessionManager.sessionIdCookieEnabled = true

authc.loginUrl = /

/error.jsp = anon
/resources/** = anon
/REST/** = authc, indexFilter
/logout = logout
/ = authc, indexFilter

And here is my shortened web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi=""







So I've got the tracking mode set to cookie inside the web.xml, and the 
securityManager.sessionManager.sessionIdCookieEnabled = true
line inside the shiro.ini, but I'm still getting the JSESSION id in the URL. 

I'm using Tomcat 7, servlet 3.0 and shiro 1.2.3. Any help on this would be
greatly appreciated!

View this message in context:
Sent from the Shiro User mailing list archive at

View raw message