You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Nagaraju Kurma (JIRA)" <ji...@apache.org> on 2015/07/13 07:03:04 UTC

[jira] [Created] (SHIRO-536) Session token in url

Nagaraju Kurma created SHIRO-536:
------------------------------------

             Summary: Session token in url
                 Key: SHIRO-536
                 URL: https://issues.apache.org/jira/browse/SHIRO-536
             Project: Shiro
          Issue Type: Bug
          Components: Authentication (log-in), Session Management
    Affects Versions: 1.2.3
         Environment: Security
            Reporter: Nagaraju Kurma


Hello Team,

As we know that this is one of the vulnerability challenges where we are supposed to remove JSESSIONID from the url.

I observed that there is a possibility with the plain servlet api 3.x version with the web.xml configuration which disables the JSESSIONID from the url is

<session-config>
 <tracking-mode>COOKIE</tracking-mode>
</session-config>

But shiro will identify and reads the above configuration if and only if shiro xml contains session manager configuration with the class 
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.ServletContainerSessionManager"></bean>

But the limitations with above class are....

1) No session listeners configuration
2) No Session dao configuration
3) No Session validation scheduler configuration
4) No invalid session deletion configuration
...
...
etc

But removing session token from the url is possible with this.

To achieve all the above limitations i am using the following session manager

<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"></bean>

But with this i unable to hide session token from the url as it doesnt read web.xml configuration and context.xml...etc

Does anybody having any work around this or is there any other session manger which will include both above 2 session managers functionality so that i can achieve all the above limitations and the session token issue. 

I am facing the issues with these insufficient configuration, Could anybody please suggest the way forward..



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)