You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2013/04/17 06:13:16 UTC

[jira] [Resolved] (SHIRO-351) Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)

     [ https://issues.apache.org/jira/browse/SHIRO-351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood resolved SHIRO-351.
---------------------------------

       Resolution: Fixed
    Fix Version/s: 1.3.0
                   1.2.2

Fixed in 1.2.x branch (for the upcoming 1.2.2 release) and in trunk.

This fix however does NOT support custom sessionId names - it only works with JSESSIONID.  The problem is that the URL Rewriting logic in the ShiroHttpServletResponse does not have direct access to the SessionManager implementation to consult for the sessionIdName property.  This requires a much deeper fix that should be implemented, but at a later date (probably 2.0).
                
> Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-351
>                 URL: https://issues.apache.org/jira/browse/SHIRO-351
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.2.0
>         Environment: N/A
>            Reporter: Gareth Collins
>             Fix For: 1.2.2, 1.3.0
>
>
> The background for this issue is here:
> http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-quot-JSESSIONID-quot-or-quot-JSESSIONID-quot-td7367217.html
> In summary the issue is that Shiro supports extracting JSESSIONID from urls of this format:
> http://www.mycompany.com/myResource?JSESSIONID=ABCDEF
> but not of this format (this URL format is generated by HTTPServletResponse encodeURL method and is Servlet specification 2.5 compliant):
> http://www.mycompany.com/myResource;JSESSIONID=ABCDEF
> Shiro should be able to support both URL formats.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira