You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Carsten Englert (JIRA)" <ji...@apache.org> on 2015/09/14 01:17:46 UTC

[jira] [Commented] (SHIRO-536) Session token in url

    [ https://issues.apache.org/jira/browse/SHIRO-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14742719#comment-14742719 ] 

Carsten Englert commented on SHIRO-536:
---------------------------------------

Any news on this?

I'm struggling to find a workaround as well, since setting a specific SessionDAO seems to be mandatory in order to get [Shiro working in a cluster environment|http://shiro.apache.org/session-management.html#SessionManagement-SessionClustering].

Giving up the more secure Cookie tracking mode in favor of the Session ID being included in the URL is not an option.

> Session token in url
> --------------------
>
>                 Key: SHIRO-536
>                 URL: https://issues.apache.org/jira/browse/SHIRO-536
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in), Session Management
>    Affects Versions: 1.2.3
>         Environment: Security
>            Reporter: Nagaraju Kurma
>              Labels: security
>
> Hello Team,
> As we know that this is one of the vulnerability challenges where we are supposed to remove JSESSIONID from the url.
> I observed that there is a possibility with the plain servlet api 3.x version with the web.xml configuration which disables the JSESSIONID from the url is
> <session-config>
>  <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> But shiro will identify and reads the above configuration if and only if shiro xml contains session manager configuration with the class 
> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.ServletContainerSessionManager"></bean>
> But the limitations with above class are....
> 1) No session listeners configuration
> 2) No Session dao configuration
> 3) No Session validation scheduler configuration
> 4) No invalid session deletion configuration
> ...
> ...
> etc
> But removing session token from the url is possible with this.
> To achieve all the above limitations i am using the following session manager
> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"></bean>
> But with this i unable to hide session token from the url as it doesnt read web.xml configuration and context.xml...etc
> Does anybody having any work around this or is there any other session manger which will include both above 2 session managers functionality so that i can achieve all the above limitations and the session token issue. 
> I am facing the issues with these insufficient configuration, Could anybody please suggest the way forward..



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)