You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/08/05 22:11:14 UTC

[jira] Created: (SHIRO-83) Make sessionId cookie optional

Make sessionId cookie optional
------------------------------

                 Key: SHIRO-83
                 URL: https://issues.apache.org/jira/browse/SHIRO-83
             Project: Shiro
          Issue Type: Improvement
          Components: Web
    Affects Versions: 1.0
            Reporter: Les Hazlewood
             Fix For: 1.0


In rich-client applications (Ajax, Flex, etc), it is more secure to have the rich-client framework explicitly send the session ID back to the server with every request in its native/encrypted format, rather than via cookies, which are more susceptible to man-in-the-middle attacks.  GWT works this way as well.

Make it a configuration possibility to disable cookies entirely, supporting this rich-client-over-http scenario.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.