> Yes, Shiro does not retain the value after a logout. The problem I'm having > is not after logot, but after login. > > Consider this scenario: an attacker manages to send you a link to a web > application using shiro, and let's assume for now, that the application > accepts the ?JSESSIONID query parameter. So the link he sends you is > something like: > > http://host/myapp?JSESSIONID=123456 > > You open the link and you get a login prompt; you enter your credentials and > the session gets authenticated. But so does the attacker as he has the > session id.
This won't work unless the hacker specifies a session ID for a session that is *currently active*. If the corresponding session is stopped/expired or doesn't exist, a new session will be created in all cases, and a new session ID cookie will be set. All web frameworks rely on you to keep your cookies secure if you feel they constitute sensitive information - e.g. use SSL or turn sessions off in JSP pages that shouldn't rely on sessions. > But apart from whether it's using the 'native' sessions or not, is there a > way to instruct shiro to restart the session after successful > authentication? Not at the moment - that would be a new feature request - please add it to Jira if you think it would be useful. Sorry for the delay in responding to this email thread - we've been very busy wrapping up the 1.0 release. Best, Les
