Hey all, I know there have been a few topics on this but none of them have seemed to come up with a 'real' solution that works for me. Essentially I've been noticing that the JSESSION id is getting put in the URL on failed login attempts, or when the session has expired and they are kicked out back to the login screen. I'd very much like to not have that JSESSION id getting put in the URL and I'm not sure what else I need to configure.
Here is my shiro.ini [main] sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 30000 securityManager.sessionManager.sessionDAO = $sessionStore securityManager.sessionManager.sessionIdCookieEnabled = true authc.loginUrl = / [urls] /error.jsp = anon /resources/** = anon /REST/** = authc, indexFilter /logout = logout / = authc, indexFilter And here is my shortened web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns="http://java.sun.com/xml/ns/javaee"; xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; version="3.0"> <display-name>skydropadmin</display-name> <context-param> <param-name>shiroEnvironmentClass</param-name> <param-value>org.ops4j.pax.shiro.cdi.web.CdiIniWebEnvironment</param-value> </context-param> <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <welcome-file-list> <welcome-file>index</welcome-file> </welcome-file-list> <resource-env-ref> <resource-env-ref-name>BeanManager</resource-env-ref-name> <resource-env-ref-type>javax.enterprise.inject.spi.BeanManager</resource-env-ref-type> </resource-env-ref> </web-app> So I've got the tracking mode set to cookie inside the web.xml, and the securityManager.sessionManager.sessionIdCookieEnabled = true line inside the shiro.ini, but I'm still getting the JSESSION id in the URL. I'm using Tomcat 7, servlet 3.0 and shiro 1.2.3. Any help on this would be greatly appreciated! -- View this message in context: http://shiro-user.582556.n2.nabble.com/JSESSION-id-being-put-in-the-URL-tp7580163.html Sent from the Shiro User mailing list archive at Nabble.com.
