You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/08/05 22:11:14 UTC
[jira] Created: (SHIRO-83) Make sessionId cookie optional
Make sessionId cookie optional
------------------------------
Key: SHIRO-83
URL: https://issues.apache.org/jira/browse/SHIRO-83
Project: Shiro
Issue Type: Improvement
Components: Web
Affects Versions: 1.0
Reporter: Les Hazlewood
Fix For: 1.0
In rich-client applications (Ajax, Flex, etc), it is more secure to have the rich-client framework explicitly send the session ID back to the server with every request in its native/encrypted format, rather than via cookies, which are more susceptible to man-in-the-middle attacks. GWT works this way as well.
Make it a configuration possibility to disable cookies entirely, supporting this rich-client-over-http scenario.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.