adding the session id to the url is a fall back because the server isn't sure the browser allows cookies at the time of session creation. and although ; is a valid separator in the http spec, it does break spring urls.
do you front your shiro app with a web server like apache or nginx? if you do, you can add a rewrite rule that removed jsessionid. eg. ReWriteRule ^(.*);JSESSIONID=.*$ $1 [L,R=301] this rule isn't production ready, so please examine it before use. On 15 April 2014 20:59, Anton <[email protected]> wrote: > Good day, everybody. > > ShiroHttpServletResponse has overridden encodeURL(String url) method, which > add JSESSIONID parameter to the urls. > So all links in a HTML page inserted using Spring macros (spring.ulr etc) > become invalid. > > This happens on the first request, then cookie with session id is not set > yet. > > Aforementioned method encodeURL use isEncodeable, which looks like: > > protected boolean isEncodeable(final String location) { > > if (location == null) > return (false); > > // Is this an intra-document reference? > if (location.startsWith("#")) > return (false); > > // Are we in a valid session that is not using cookies? > final HttpServletRequest hreq = request; > final HttpSession session = hreq.getSession(false); > 1) if (session == null) > return (false); > 2) if (hreq.isRequestedSessionIdFromCookie()) > return (false); > > return doIsEncodeable(hreq, session, location); > } > > 1) A session has been already created, so session != null > 2) but it's a brand new session, so hreq.isRequestedSessionIdFromCookie() > == > false > As result we have, that url will be encoded though cookie are used. > > Is it a bug, or I misunderstood something?? > Please help :) > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Problem-with-JSESSIONID-tp7579874.html > Sent from the Shiro User mailing list archive at Nabble.com. >
