[
https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622258#comment-14622258
]
Nagaraju Kurma commented on SHIRO-170:
--------------------------------------
Hello Team,
After digging it into low level finally confirmed that the following
configuration will not read the session configuration done in web.xml
*<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> *
*</bean>*
*<session-config> <tracking-mode>COOKIE</tracking-mode>
</session-config>*
If i replace *ServletContainerSessionManager* the above
*DefaultWebSessionManager *then the following configuration got effected.
*<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.*
*ServletContainerSessionManager* *"> **</bean>*
*<session-config>*
* <tracking-mode>COOKIE</tracking-mode>*
* </session-config>*
On Fri, Jul 10, 2015 at 3:52 PM, K Nagaraju <[email protected]>
--
Thanks&Regards
Nagaraju Yadav
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Affects Versions: 1.0.0, 1.1.0, 1.2.0
> Reporter: Jakob Külzer
> Priority: Minor
> Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of
> the issues raised after a full audit of the app is that it might be
> vulnerable for session fixation attacks. Shiro does not reset the Session ID
> after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all
> kinds of applications.
> OWASP has a good page on session fixation attacks:
> http://www.owasp.org/index.php/Session_fixation
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
