<session-config> is available for servlet 3.0. If you use web containers that support lower version, you have to config it via container's config.
E.g. for jetty, http://www.eclipse.org/jetty/documentation/current/session-management.html On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma < [email protected]> wrote: > Hello Team, > > Thanks for your valuable time spending. > > *1) Session Fixation* > > Implemented the same as the above link describes, Its working fine but it > is like out side of the framework and not developer friendly. As this is a > high security concern some where we need to have a configuration as part of > shiro only. > > *2) Session Token in url* > > I am having one more question that on first request after session got > started *JSESSIONID *is appending in the url as follows > > > http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad > > This is also one of the security concern, How to resolve it? Anybody > having any work around about this? > > I am working with spring & shiro so i tried with the following > configuration but got failed. > > <session-config> > <tracking-mode>COOKIE</tracking-mode> > </session-config> > > > > > > > > On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <[email protected]> wrote: > >> Here's an issue about this problem. >> >> https://issues.apache.org/jira/browse/SHIRO-170 >> >> Even though it hasn't been fixed, but in comment, there's some workaround. >> >> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma < >> [email protected]> wrote: >> >>> Hi Team, >>> >>> Is there any workaround on this? >>> >>> -- >>> >>> Thanks & Regards >>> >>> Nagaraju Kurma >>> >> >> >> >> -- >> 唐睿 >> > > > > -- > > Thanks & Regards > > Nagaraju Kurma > -- 唐睿
