Just a polite note, Session Id's in URL's are a serious vulnerability
(session rewriting). In general, GET request parameters should never
contain sensitive data since they leak (bookmarks, proxy/web server
logs, referrer headers, etc).
Forgive me if this is already known or inappropriate. I'm new here. :)
Aloha,
--
Jim Manico
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
[email protected]
www.owasp.org
Shiro Native Session implementation cannot extract JSESSIONID From URL if
JSESSIONID is URL parameter (not HTTP parameter)
--------------------------------------------------------------------------------------------------------------------------
Key: SHIRO-351
URL: https://issues.apache.org/jira/browse/SHIRO-351
Project: Shiro
Issue Type: Bug
Components: Web
Affects Versions: 1.2.0
Environment: N/A
Reporter: Gareth Collins
The background for this issue is here:
http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
In summary the issue is that Shiro supports extracting JSESSIONID from urls of
this format:
http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
but not of this format (this URL format is generated by HTTPServletResponse
encodeURL method and is Servlet specification 2.5 compliant):
http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
Shiro should be able to support both URL formats.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
