Other than the session ID cookie, Shiro currently only stores remembered principals as a cookie (i.e. the 'rememberMe' cookie) - and by default they are serialized and encrypted.
Neither the authentication state (isAuthenticated(), etc) nor the principals/credentials used to authenticate is stored in a cookie. Doing so would constitute a serious security risk, providing attackers the ability to simulate authenticated users - a very bad thing. As such, we're left with one of two approaches: either authenticate with every request (somewhat common in REST environments, for example), or store the authentication state on the server somehow (e.g. in the session). Other than really nasty and complicated solutions involving cryptographic nonces, I'm not aware of a way to store authentication state in client-side cookies without opening a serious security hole. If anyone has any ideas, I'm all ears! As an aside: Note that the worry about a 100% server stateless architecture is often mitigated by relying on an enterprise clustered cache to maintain state in production environments (e.g. Memcache, TerraCotta, Coherence, etc). A request can go to any machine because the state is accessible in the enterprise cache from any application instance. These caches are extremely fast too - global mission-critical financial trading systems use them, so odds are very high they are fast enough for your application as well. In fact, this is one of the best ways to use Shiro - if you have a cluster, and you need clustered sessions, you can turn on Shiro's native session support and plug in a distributed Cache into Shiro's configuration. This is great because servlet containers all support different ways to cluster sessions - a real pain if you need to deploy to Tomcat or Jetty or Websphere, or any other container With Shiro, without changing your code or configuration, you have portable Session clustering regardless of deployment environment. HTH, Les On Mon, Aug 23, 2010 at 5:11 PM, Mike K <[email protected]> wrote: > > Yes, I see that, but I would like to store all of the data that Shiro uses in > a session (which not much) in a cookie, so that there is no server-side > state reliance at all. > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Permission-checking-on-client-side-tp5450587p5454837.html > Sent from the Shiro User mailing list archive at Nabble.com. >
