shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rui Tang <tangrui...@gmail.com>
Subject Re: Force new session id on authentication
Date Fri, 10 Jul 2015 07:28:22 GMT
<session-config> is available for servlet 3.0. If you use web containers
that support lower version, you have to config it via container's config.

E.g. for jetty,
http://www.eclipse.org/jetty/documentation/current/session-management.html

On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:

> Hello Team,
>
> Thanks for your valuable time spending.
>
> *1) Session Fixation*
>
> Implemented the same as the above link describes, Its working fine but it
> is like out side of the framework and not developer friendly. As this is a
> high security concern some where we need to have a configuration as part of
> shiro only.
>
> *2) Session Token in url*
>
> I am having one more question that on first request after session got
> started *JSESSIONID *is appending in the url as follows
>
>
> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
>
> This is also one of the security concern, How to resolve it? Anybody
> having any work around about this?
>
> I am working with spring & shiro so i tried with the following
> configuration but got failed.
>
> <session-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
>
>
>
>
>
>
> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <tangrui.cn@gmail.com> wrote:
>
>> Here's an issue about this problem.
>>
>> https://issues.apache.org/jira/browse/SHIRO-170
>>
>> Even though it hasn't been fixed, but in comment, there's some workaround.
>>
>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
>> nagaraju.kurma@enhancesys.com> wrote:
>>
>>> Hi Team,
>>>
>>> Is there any workaround on this?
>>>
>>> --
>>>
>>> Thanks & Regards
>>>
>>> Nagaraju Kurma
>>>
>>
>>
>>
>> --
>> 唐睿
>>
>
>
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>



-- 
唐睿

Mime
View raw message