Hello Team, Thanks for your valuable time spending.
*1) Session Fixation* Implemented the same as the above link describes, Its working fine but it is like out side of the framework and not developer friendly. As this is a high security concern some where we need to have a configuration as part of shiro only. *2) Session Token in url* I am having one more question that on first request after session got started *JSESSIONID *is appending in the url as follows http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad This is also one of the security concern, How to resolve it? Anybody having any work around about this? I am working with spring & shiro so i tried with the following configuration but got failed. <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <[email protected]> wrote: > Here's an issue about this problem. > > https://issues.apache.org/jira/browse/SHIRO-170 > > Even though it hasn't been fixed, but in comment, there's some workaround. > > On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma < > [email protected]> wrote: > >> Hi Team, >> >> Is there any workaround on this? >> >> -- >> >> Thanks & Regards >> >> Nagaraju Kurma >> > > > > -- > 唐睿 > -- Thanks & Regards Nagaraju Kurma
