[
https://issues.apache.org/jira/browse/SHIRO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Terence Kent updated SHIRO-487:
-------------------------------
Summary: Session path parameter must be "JSESSIONID", not "jsessionid"
(was: JSESSIONID is not configurable as path parameter, only as a query
parameter)
> Session path parameter must be "JSESSIONID", not "jsessionid"
> -------------------------------------------------------------
>
> Key: SHIRO-487
> URL: https://issues.apache.org/jira/browse/SHIRO-487
> Project: Shiro
> Issue Type: Bug
> Components: Session Management, Web
> Affects Versions: 1.2.2
> Reporter: Terence Kent
> Priority: Minor
> Labels: easyfix
>
> The DefaultWebSessionManager only looks for the session id in a path
> parameter with the name of "JSESSIONID" (all uppercase, not lowercase), and
> this cannot be configured. This should either be configurable, or just
> "jsessionid" (all lower case).
> The 3.0 servlet spec, section 7.1.3 states: "The session ID must be encoded
> as a path parameter in the URL string. The name of the parameter must be
> jsessionid." Other servlet containers (tomcat, jetty, etc) use "jsessionid"
> as the path parameter for session ids.
> Since path parameters really shouldn't be used, the query parameter *is*
> configurable, and changing our existing client code isn't that big of a deal,
> I'm marking this as a minor issue. Just thought I would record it.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
