You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Mike K <mk...@semanticresearch.com> on 2010/10/25 18:17:43 UTC
shiro-1.10-snapshot cookie max-age issues
Having grabbed the latest shiro-1.10 snapshot I started experiencing login
issues in the application. Digging in further, I have noticed the following
difference with cookies dropped at login between the earlier code drop and
the newest:
OLD:
Set-Cookie: JSESSIONID=6fd35335-6dd6-4d37-9813-71264e027bfe; Path=/service;
HttpOnly
NEW:
Set-Cookie: JSESSIONID=b11cc1ab-d812-44e5-af15-a291bdf3a6d7; Path=/service;
Max-Age=-1; HttpOnly
The difference is the setting of Max-Age=1, which seems like the right thing
to do according to http://www.faqs.org/rfcs/rfc2616.html. Unfortunately
this causes Firefox to delete the cookie and not forward it on subsequent
requests. IE is not affected by this change.
This seems like a bug (even if it really is in Firefox), but perhaps the
devs here have a suggestion to mitigate this.
--
View this message in context: http://shiro-developer.582600.n2.nabble.com/shiro-1-10-snapshot-cookie-max-age-issues-tp5671317p5671317.html
Sent from the Shiro Developer mailing list archive at Nabble.com.
Re: shiro-1.10-snapshot cookie max-age issues
Posted by Les Hazlewood <lh...@apache.org>.
Not sure - Kalle fixed this one. Kalle?
Les
Re: shiro-1.10-snapshot cookie max-age issues
Posted by Kalle Korhonen <ka...@gmail.com>.
https://issues.apache.org/jira/browse/SHIRO-183
On Sun, Oct 31, 2010 at 11:46 AM, Alan D. Cabrera <li...@toolazydogs.com> wrote:
> What Jira issue was this fix checked in under? I want to merge the fix into my sandbox branch to see if it fixes SHIRO-212.
>
>
> Regards,
> Alan
>
> On Oct 25, 2010, at 9:43 AM, Kalle Korhonen wrote:
>
>> I appreciate the report. The cookie spec is a bit vague on this and
>> unfortunately browsers handle the corner cases differently. Please
>> grab the latest snapshot later today (I just checked in a fix) which
>> should resolve this but also keep the fix for the original issue in
>> place.
>>
>> Kalle
>>
>>
>> On Mon, Oct 25, 2010 at 9:17 AM, Mike K <mk...@semanticresearch.com> wrote:
>>>
>>> Having grabbed the latest shiro-1.10 snapshot I started experiencing login
>>> issues in the application. Digging in further, I have noticed the following
>>> difference with cookies dropped at login between the earlier code drop and
>>> the newest:
>>> OLD:
>>> Set-Cookie: JSESSIONID=6fd35335-6dd6-4d37-9813-71264e027bfe; Path=/service;
>>> HttpOnly
>>> NEW:
>>> Set-Cookie: JSESSIONID=b11cc1ab-d812-44e5-af15-a291bdf3a6d7; Path=/service;
>>> Max-Age=-1; HttpOnly
>>>
>>>
>>> The difference is the setting of Max-Age=1, which seems like the right thing
>>> to do according to http://www.faqs.org/rfcs/rfc2616.html. Unfortunately
>>> this causes Firefox to delete the cookie and not forward it on subsequent
>>> requests. IE is not affected by this change.
>>>
>>> This seems like a bug (even if it really is in Firefox), but perhaps the
>>> devs here have a suggestion to mitigate this.
>>> --
>>> View this message in context: http://shiro-developer.582600.n2.nabble.com/shiro-1-10-snapshot-cookie-max-age-issues-tp5671317p5671317.html
>>> Sent from the Shiro Developer mailing list archive at Nabble.com.
>>>
>
>
Re: shiro-1.10-snapshot cookie max-age issues
Posted by "Alan D. Cabrera" <li...@toolazydogs.com>.
What Jira issue was this fix checked in under? I want to merge the fix into my sandbox branch to see if it fixes SHIRO-212.
Regards,
Alan
On Oct 25, 2010, at 9:43 AM, Kalle Korhonen wrote:
> I appreciate the report. The cookie spec is a bit vague on this and
> unfortunately browsers handle the corner cases differently. Please
> grab the latest snapshot later today (I just checked in a fix) which
> should resolve this but also keep the fix for the original issue in
> place.
>
> Kalle
>
>
> On Mon, Oct 25, 2010 at 9:17 AM, Mike K <mk...@semanticresearch.com> wrote:
>>
>> Having grabbed the latest shiro-1.10 snapshot I started experiencing login
>> issues in the application. Digging in further, I have noticed the following
>> difference with cookies dropped at login between the earlier code drop and
>> the newest:
>> OLD:
>> Set-Cookie: JSESSIONID=6fd35335-6dd6-4d37-9813-71264e027bfe; Path=/service;
>> HttpOnly
>> NEW:
>> Set-Cookie: JSESSIONID=b11cc1ab-d812-44e5-af15-a291bdf3a6d7; Path=/service;
>> Max-Age=-1; HttpOnly
>>
>>
>> The difference is the setting of Max-Age=1, which seems like the right thing
>> to do according to http://www.faqs.org/rfcs/rfc2616.html. Unfortunately
>> this causes Firefox to delete the cookie and not forward it on subsequent
>> requests. IE is not affected by this change.
>>
>> This seems like a bug (even if it really is in Firefox), but perhaps the
>> devs here have a suggestion to mitigate this.
>> --
>> View this message in context: http://shiro-developer.582600.n2.nabble.com/shiro-1-10-snapshot-cookie-max-age-issues-tp5671317p5671317.html
>> Sent from the Shiro Developer mailing list archive at Nabble.com.
>>
Re: shiro-1.10-snapshot cookie max-age issues
Posted by Mike K <mk...@semanticresearch.com>.
Excellent. Just grabbed the new source and we are back in business.
Thanks
--
View this message in context: http://shiro-developer.582600.n2.nabble.com/shiro-1-10-snapshot-cookie-max-age-issues-tp5671317p5671555.html
Sent from the Shiro Developer mailing list archive at Nabble.com.
Re: shiro-1.10-snapshot cookie max-age issues
Posted by Kalle Korhonen <ka...@gmail.com>.
I appreciate the report. The cookie spec is a bit vague on this and
unfortunately browsers handle the corner cases differently. Please
grab the latest snapshot later today (I just checked in a fix) which
should resolve this but also keep the fix for the original issue in
place.
Kalle
On Mon, Oct 25, 2010 at 9:17 AM, Mike K <mk...@semanticresearch.com> wrote:
>
> Having grabbed the latest shiro-1.10 snapshot I started experiencing login
> issues in the application. Digging in further, I have noticed the following
> difference with cookies dropped at login between the earlier code drop and
> the newest:
> OLD:
> Set-Cookie: JSESSIONID=6fd35335-6dd6-4d37-9813-71264e027bfe; Path=/service;
> HttpOnly
> NEW:
> Set-Cookie: JSESSIONID=b11cc1ab-d812-44e5-af15-a291bdf3a6d7; Path=/service;
> Max-Age=-1; HttpOnly
>
>
> The difference is the setting of Max-Age=1, which seems like the right thing
> to do according to http://www.faqs.org/rfcs/rfc2616.html. Unfortunately
> this causes Firefox to delete the cookie and not forward it on subsequent
> requests. IE is not affected by this change.
>
> This seems like a bug (even if it really is in Firefox), but perhaps the
> devs here have a suggestion to mitigate this.
> --
> View this message in context: http://shiro-developer.582600.n2.nabble.com/shiro-1-10-snapshot-cookie-max-age-issues-tp5671317p5671317.html
> Sent from the Shiro Developer mailing list archive at Nabble.com.
>