[
https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239480#comment-13239480
]
Gareth Collins edited comment on SHIRO-351 at 3/27/12 2:01 PM:
---------------------------------------------------------------
Jim,
I understand your point of view and we could go away and discuss implementation
options for multiple devices, but it is kind of irrelevant to the problem at
hand. The Servlet 2.5 spec, section SRV.7.1.4 states:
"Web containers must be able to support the HTTP session while servicing HTTP
requests from clients that do not support the use of cookies."
This support is already there for Shiro native sessions. It just doesn't work
correctly.
I guess you could argue that this functionality should be removed rather than
fixed. However, even if this functionality was removed from Shiro native
sessions, the Shiro user would still be able to access this functionality by
using Tomcat/Jetty sessions instead (as these containers are servlet 2.5
compliant)...so little would be achieved apart from hobbling Shiro native
session functionality.
was (Author: gcollins):
Jim,
I understand your point of view and we could go away and discuss implementation
options for multiple devices, but it is kind of irrelevant to the problem at
hand. The Servlet 2.5 spec, section SRV.7.1.4 states:
"Web containers must be able to support the HTTP session while servicing HTTP
requests from clients that do not support the use of cookies."
This support is already there for Shiro native sessions. It just doesn't work
correctly.
I guess you could argue that this functionality should be removed. However,
even if you did remove it from Shiro native sessions, the user would still be
able to access this functionality if I used Tomcat/Jetty sessions instead (as
these containers are servlet 2.5 compliant)...so you would achieve little apart
from hobbling Shiro native session functionality.
> Shiro Native Session implementation cannot extract JSESSIONID From URL if
> JSESSIONID is URL parameter (not HTTP parameter)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-351
> URL: https://issues.apache.org/jira/browse/SHIRO-351
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.2.0
> Environment: N/A
> Reporter: Gareth Collins
>
> The background for this issue is here:
> http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
> In summary the issue is that Shiro supports extracting JSESSIONID from urls
> of this format:
> http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
> but not of this format (this URL format is generated by HTTPServletResponse
> encodeURL method and is Servlet specification 2.5 compliant):
> http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
> Shiro should be able to support both URL formats.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
