[
https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13238782#comment-13238782
]
Jim Manico commented on SHIRO-351:
----------------------------------
Which mobile device does not support cookies or HTTP Request headers? It
may not be convenient, but I stand by keeping session information - or
any sensitive data - out of a HTTP GET request, even over HTTPS.
Especially for a security library or security community as sharp as
Shiro! :)
- Jim
--
Jim Manico
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
[email protected]
www.owasp.org
> Shiro Native Session implementation cannot extract JSESSIONID From URL if
> JSESSIONID is URL parameter (not HTTP parameter)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-351
> URL: https://issues.apache.org/jira/browse/SHIRO-351
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.2.0
> Environment: N/A
> Reporter: Gareth Collins
>
> The background for this issue is here:
> http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
> In summary the issue is that Shiro supports extracting JSESSIONID from urls
> of this format:
> http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
> but not of this format (this URL format is generated by HTTPServletResponse
> encodeURL method and is Servlet specification 2.5 compliant):
> http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
> Shiro should be able to support both URL formats.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
