Hi, Something I've recently been thinking about: Shiro can use cookies to track sessions, and these cookies can be restricted to a specific path -- according to OWASP it is a best practice rule to tighten this path as much as possible.
But: Shiro does not actually validate that path when looking at the request cookies, but it rather just assumes that the user-agent will have done the right thing. Do you think adding a validation here would be a good thing, or are there reasons not to do it? https://github.com/Collaborne/shiro/pull/1 has a proposed patch for this validation, which I'm currently testing. Feedback on the idea would be most welcome! Regards, -- Andreas
