Hey Les, thank you for your swift reply.
On Tue, Apr 20, 2010 at 2:45 PM, Les Hazlewood <[email protected]>wrote: > Hi Jakob - I'm not sure that Shiro is retaining the JSESSIONID value. > Yes, Shiro does not retain the value after a logout. The problem I'm having is not after logot, but after login. Consider this scenario: an attacker manages to send you a link to a web application using shiro, and let's assume for now, that the application accepts the ?JSESSIONID query parameter. So the link he sends you is something like: http://host/myapp?JSESSIONID=123456 You open the link and you get a login prompt; you enter your credentials and the session gets authenticated. But so does the attacker as he has the session id. This is a simplified example, but it should clarify the issues I'm facing. In real life an attacker would probably need to smuggle a cookie onto the victims computer. How that actually happens is not too important in that context, fact is, that IF a valid JSESSIONID is provided, it will be used. > During logout, the session is invalidated and the JSESSIONID cookie is > explicitly deleted. If you log out and redirect to another page, and > that page requires session access, a new session (with a new > JSESSIONID cookie) will be created. > > This assumes you are using Shiro 'native' sessions and not the servlet > container sessions. Shiro has no control over how the Servlet > container manages session cookies - but if you use Shiro native > sessions, obviously Shiro knows how to handle that situation. > I'm using the Grails plugin, so I cannot answer that question yet. I'll do some research and see if I can find out. But apart from whether it's using the 'native' sessions or not, is there a way to instruct shiro to restart the session after successful authentication? Does this help? Do you have a scenario or sample that demonstrates > this behavior? Again, if you're using the default servlet-container > sessions, Shiro has no control over how they operate. > I hope the scenario above is helpful. Let me know if you still have questions. Best regards, -- Cheers, Jakob
