[
https://issues.apache.org/jira/browse/SHIRO-83?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Les Hazlewood resolved SHIRO-83.
--------------------------------
Resolution: Fixed
The cookie is enabled by default, but can now be turned off by setting the
DefaultWebSessionManager.sessionIdCookieEnabled attribute to false. Commit was
accompanied by a DefaultWebSessionManagerTest case to verify functionality.
> Make sessionId cookie optional
> ------------------------------
>
> Key: SHIRO-83
> URL: https://issues.apache.org/jira/browse/SHIRO-83
> Project: Shiro
> Issue Type: Improvement
> Components: Web
> Affects Versions: 1.0.0
> Reporter: Les Hazlewood
> Fix For: 1.0.0
>
>
> In rich-client applications (Ajax, Flex, etc), it is more secure to have the
> rich-client framework explicitly send the session ID back to the server with
> every request in its native/encrypted format, rather than via cookies, which
> are more susceptible to man-in-the-middle attacks. GWT works this way as
> well.
> Make it a configuration possibility to disable cookies entirely, supporting
> this rich-client-over-http scenario.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
