Hi Alina, thanks for your report. Can you modify your test environment in such a way that you can find the exact version where it happens for the first time? 1.2.3 to 1.7.0 is quite a big leap.
Some random things which we modified and categorize as a breaking change: Default ciphers were changed from an alias to their non-aliased names. Cookies are secure by default. Also helpful would be your shiro.ini or at least the realms you are using. Thanks, Ben Am Mi., 19. Mai 2021 um 16:53 Uhr schrieb alina.frey <[email protected]>: > > In my application I updated only the Shiro library, from shiro-all-1.2.3.jar > to shiro-all-1.7.0.jar. I did not change any other libraries, nor > configuration files, other than the build path to refer to the new Shiro > library. > > Users that were able to login before, are now not able to. Digging in the > log files, it shows that the users do actually get logged in, and a session > is associated with them. > > Watching the session cookie in the browser. When the user tries to log in, > the initial session cookie that is shown in the browser is the same as one > recorded in the logs. This initial session cookie gets replaced immediately > with a different one. Therefore the user cannot login into the application. > Printing out all the active sessions: three sessions are displayed, and only > the initial session is associated with the user. One of the other two > sessions is the one displayed in the browser. > > Trying to figure what's happening and what causes this. Trying to figure out > what settings do I need to change, to make the application work as before. > > Thanks a bunch! > -Alina. > > > > -- > Sent from: http://shiro-user.582556.n2.nabble.com/
