I'm running Tomcat within Eclipse as opposed to deploying via a Maven goal. I wiped the temp and work directories of Tomcat only to find that it's still happening. What I discovered, however, is that it only appends the ;JSESSIONID= upon initial authentication. This gives me something to work with, but I'm still baffled as to why it happens. Based on what I'm seeing in the logs, the JSESSIONID cookie is being created and read successfully, so I'm confused. It simply shouldn't be doing that.
From: Josh Berry [mailto:[email protected]] Sent: Tuesday, October 22, 2013 12:22 PM To: [email protected] Subject: Re: DefaultWebSessionManager How are you running this? I had problems with that happening, as well. For me adding that config worked. Maybe try to completely wipe out the temp and work directories of tomcat. I've found that it can be rather aggressive in saving work it did in the past. For what its worth, I'm also using tomcat7. Specifically with the `mvn tomcat7:run` goal. On Tue, Oct 22, 2013 at 3:00 PM, Michael Chandler <[email protected]<mailto:[email protected]>> wrote: Josh, I am using the 3.0 namespace declaration in web.xml. From: Josh Berry [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, October 22, 2013 11:50 AM To: [email protected]<mailto:[email protected]> Subject: Re: DefaultWebSessionManager Make sure you are using version "3.0" of the web.xml namespace. Not sure that tag gets used if you are using the older servlet specification. On Tue, Oct 22, 2013 at 1:42 PM, Michael Chandler <[email protected]<mailto:[email protected]>> wrote: I'm using Tomcat 7. From: M.C. Wilson [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, October 22, 2013 10:40 AM To: [email protected]<mailto:[email protected]> Subject: Re: DefaultWebSessionManager Mr. Chandler, which container are you using in this example? I've seen this same thing when using Jetty. On Oct 22, 2013, at 10:37 AM, Lenny Primak <[email protected]<mailto:[email protected]>> wrote: Sounds more like something else in your web container setup is overriding this. I don't think there is an API to even do that. On Oct 22, 2013, at 1:36 PM, Michael Chandler wrote: Interestingly, I tried that already and it didn't change anything. I'm led to believe that Shiro is somehow overriding this. From: Lenny Primak [mailto:lprimak@<mailto:lprimak@>hope.nyc.ny.us<http://hope.nyc.ny.us>] Sent: Tuesday, October 22, 2013 10:32 AM To: [email protected]<mailto:[email protected]> Subject: Re: DefaultWebSessionManager add this to your web.xml: <session-config> <session-timeout>120</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config> On Oct 22, 2013, at 1:30 PM, Michael Chandler wrote: In using the DefaultWebSessionManager, I'm finding that Shiro is appending ";JSESSIONID=###" to my URLs instead of using cookies, which I thought was the default. The DefaultWebSessionManager constructor appears to set sessionIdCookieEnabled to true and set a default cookie. Nevertheless, I'm still seeing the JSESSIONID value in the query string, which is having a poor effect on my Spring MVC mappings. Does anyone have any advice on how to get around this problem? Ideally, I would prefer to use cookies. Mike The information transmitted, including attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this e-mail in error, please notify the sender immediately by replying to the message and deleting the material from your computer.
