You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Nagaraju Kurma <na...@enhancesys.com> on 2015/07/09 07:26:44 UTC
Force new session id on authentication
Hi Team,
Is there any workaround on this?
--
Thanks & Regards
Nagaraju Kurma
Re: Force new session id on authentication
Posted by Sashika <sa...@gmail.com>.
There is no support for this in Shiro as I know. For vaadin I used
VaadinService.reinitializeSession() which generates a new session Id. You
have to use what's your framework provides for this purpose.
On Jul 9, 2015 10:57 AM, "Nagaraju Kurma" <na...@enhancesys.com>
wrote:
> Hi Team,
>
> Is there any workaround on this?
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>
Re: Force new session id on authentication
Posted by Rui Tang <ta...@gmail.com>.
I never used tomee, but I think it should be the same as tomcat.
You can try this out.
https://fralef.me/tomcat-disable-jsessionid-in-url.html
Put context.xml file in your webapp's META-INF/ folder. You may not need
the docBase property, because it is used when you not deploy your webapp in
the folder webapps/.
May this help you!
On Fri, Jul 10, 2015 at 7:58 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> Hello Team,
>
> I tried a lot and concluded with there is configuration as part of tomme
> *system.propeties*. But unfortunately this configuration is not working
> for me.
>
> openejb.jsessionid-support = false
>
> http://tomee.apache.org/properties-listing.html
>
> Anybody is having any work around this?
>
> On Fri, Jul 10, 2015 at 2:26 PM, Nagaraju Kurma <
> nagaraju.kurma@enhancesys.com> wrote:
>
>> Hello Rui Tang,
>>
>> I am using the web container like apache tomme having the version like
>> *apache-tomee-plus-1.7.1*
>>
>> I think it is equivalent with apache tomcat with enhanced features having
>> application server behavior as follows
>>
>> Tomcat + Java EE = TomEE
>>
>> On Fri, Jul 10, 2015 at 1:31 PM, Rui Tang <ta...@gmail.com> wrote:
>>
>>> It's not about what the version number in web.xml, but the really
>>> servlet version that your container supports. If your container only
>>> supports servlet 2.5, the way you write the web.xml will not work.
>>>
>>> Can you tell me what your web container is? Tomcat or such as Weblogic?
>>>
>>> On Fri, Jul 10, 2015 at 3:55 PM, Nagaraju Kurma <
>>> nagaraju.kurma@enhancesys.com> wrote:
>>>
>>>> Hello Rui Tang,
>>>>
>>>> I am using servlet 3.0 only and my web.xml as follows.
>>>>
>>>> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
>>>> http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>>>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>>>> *version="3.0"*>
>>>>
>>>> Sorry i am not clear to implement this configuration my application as
>>>> i am not running any jetty configuration at all.
>>>>
>>>> Could you please elaborate the explanation towards configuration files
>>>> to hide the JSESSIONID in my simple spring & shiro based web application.
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Jul 10, 2015 at 12:58 PM, Rui Tang <ta...@gmail.com>
>>>> wrote:
>>>>
>>>>> <session-config> is available for servlet 3.0. If you use web
>>>>> containers that support lower version, you have to config it via
>>>>> container's config.
>>>>>
>>>>> E.g. for jetty,
>>>>> http://www.eclipse.org/jetty/documentation/current/session-management.html
>>>>>
>>>>> On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma <
>>>>> nagaraju.kurma@enhancesys.com> wrote:
>>>>>
>>>>>> Hello Team,
>>>>>>
>>>>>> Thanks for your valuable time spending.
>>>>>>
>>>>>> *1) Session Fixation*
>>>>>>
>>>>>> Implemented the same as the above link describes, Its working fine
>>>>>> but it is like out side of the framework and not developer friendly. As
>>>>>> this is a high security concern some where we need to have a configuration
>>>>>> as part of shiro only.
>>>>>>
>>>>>> *2) Session Token in url*
>>>>>>
>>>>>> I am having one more question that on first request after session got
>>>>>> started *JSESSIONID *is appending in the url as follows
>>>>>>
>>>>>>
>>>>>> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
>>>>>>
>>>>>> This is also one of the security concern, How to resolve it? Anybody
>>>>>> having any work around about this?
>>>>>>
>>>>>> I am working with spring & shiro so i tried with the following
>>>>>> configuration but got failed.
>>>>>>
>>>>>> <session-config>
>>>>>> <tracking-mode>COOKIE</tracking-mode>
>>>>>> </session-config>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <ta...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Here's an issue about this problem.
>>>>>>>
>>>>>>> https://issues.apache.org/jira/browse/SHIRO-170
>>>>>>>
>>>>>>> Even though it hasn't been fixed, but in comment, there's some
>>>>>>> workaround.
>>>>>>>
>>>>>>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
>>>>>>> nagaraju.kurma@enhancesys.com> wrote:
>>>>>>>
>>>>>>>> Hi Team,
>>>>>>>>
>>>>>>>> Is there any workaround on this?
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Thanks & Regards
>>>>>>>>
>>>>>>>> Nagaraju Kurma
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> 唐睿
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Thanks & Regards
>>>>>>
>>>>>> Nagaraju Kurma
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> 唐睿
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Thanks & Regards
>>>>
>>>> Nagaraju Kurma
>>>>
>>>
>>>
>>>
>>> --
>>> 唐睿
>>>
>>
>>
>>
>> --
>>
>> Thanks & Regards
>>
>> Nagaraju Kurma
>>
>
>
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>
--
唐睿
Re: Force new session id on authentication
Posted by Nagaraju Kurma <na...@enhancesys.com>.
Hello Team,
I tried a lot and concluded with there is configuration as part of tomme
*system.propeties*. But unfortunately this configuration is not working for
me.
openejb.jsessionid-support = false
http://tomee.apache.org/properties-listing.html
Anybody is having any work around this?
On Fri, Jul 10, 2015 at 2:26 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> Hello Rui Tang,
>
> I am using the web container like apache tomme having the version like
> *apache-tomee-plus-1.7.1*
>
> I think it is equivalent with apache tomcat with enhanced features having
> application server behavior as follows
>
> Tomcat + Java EE = TomEE
>
> On Fri, Jul 10, 2015 at 1:31 PM, Rui Tang <ta...@gmail.com> wrote:
>
>> It's not about what the version number in web.xml, but the really servlet
>> version that your container supports. If your container only supports
>> servlet 2.5, the way you write the web.xml will not work.
>>
>> Can you tell me what your web container is? Tomcat or such as Weblogic?
>>
>> On Fri, Jul 10, 2015 at 3:55 PM, Nagaraju Kurma <
>> nagaraju.kurma@enhancesys.com> wrote:
>>
>>> Hello Rui Tang,
>>>
>>> I am using servlet 3.0 only and my web.xml as follows.
>>>
>>> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>>> *version="3.0"*>
>>>
>>> Sorry i am not clear to implement this configuration my application as i
>>> am not running any jetty configuration at all.
>>>
>>> Could you please elaborate the explanation towards configuration files
>>> to hide the JSESSIONID in my simple spring & shiro based web application.
>>>
>>>
>>>
>>>
>>> On Fri, Jul 10, 2015 at 12:58 PM, Rui Tang <ta...@gmail.com> wrote:
>>>
>>>> <session-config> is available for servlet 3.0. If you use web
>>>> containers that support lower version, you have to config it via
>>>> container's config.
>>>>
>>>> E.g. for jetty,
>>>> http://www.eclipse.org/jetty/documentation/current/session-management.html
>>>>
>>>> On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma <
>>>> nagaraju.kurma@enhancesys.com> wrote:
>>>>
>>>>> Hello Team,
>>>>>
>>>>> Thanks for your valuable time spending.
>>>>>
>>>>> *1) Session Fixation*
>>>>>
>>>>> Implemented the same as the above link describes, Its working fine but
>>>>> it is like out side of the framework and not developer friendly. As this is
>>>>> a high security concern some where we need to have a configuration as part
>>>>> of shiro only.
>>>>>
>>>>> *2) Session Token in url*
>>>>>
>>>>> I am having one more question that on first request after session got
>>>>> started *JSESSIONID *is appending in the url as follows
>>>>>
>>>>>
>>>>> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
>>>>>
>>>>> This is also one of the security concern, How to resolve it? Anybody
>>>>> having any work around about this?
>>>>>
>>>>> I am working with spring & shiro so i tried with the following
>>>>> configuration but got failed.
>>>>>
>>>>> <session-config>
>>>>> <tracking-mode>COOKIE</tracking-mode>
>>>>> </session-config>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <ta...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Here's an issue about this problem.
>>>>>>
>>>>>> https://issues.apache.org/jira/browse/SHIRO-170
>>>>>>
>>>>>> Even though it hasn't been fixed, but in comment, there's some
>>>>>> workaround.
>>>>>>
>>>>>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
>>>>>> nagaraju.kurma@enhancesys.com> wrote:
>>>>>>
>>>>>>> Hi Team,
>>>>>>>
>>>>>>> Is there any workaround on this?
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Thanks & Regards
>>>>>>>
>>>>>>> Nagaraju Kurma
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> 唐睿
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Thanks & Regards
>>>>>
>>>>> Nagaraju Kurma
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> 唐睿
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Thanks & Regards
>>>
>>> Nagaraju Kurma
>>>
>>
>>
>>
>> --
>> 唐睿
>>
>
>
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>
--
Thanks & Regards
Nagaraju Kurma
Re: Force new session id on authentication
Posted by Nagaraju Kurma <na...@enhancesys.com>.
Hello Rui Tang,
I am using the web container like apache tomme having the version like
*apache-tomee-plus-1.7.1*
I think it is equivalent with apache tomcat with enhanced features having
application server behavior as follows
Tomcat + Java EE = TomEE
On Fri, Jul 10, 2015 at 1:31 PM, Rui Tang <ta...@gmail.com> wrote:
> It's not about what the version number in web.xml, but the really servlet
> version that your container supports. If your container only supports
> servlet 2.5, the way you write the web.xml will not work.
>
> Can you tell me what your web container is? Tomcat or such as Weblogic?
>
> On Fri, Jul 10, 2015 at 3:55 PM, Nagaraju Kurma <
> nagaraju.kurma@enhancesys.com> wrote:
>
>> Hello Rui Tang,
>>
>> I am using servlet 3.0 only and my web.xml as follows.
>>
>> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>> *version="3.0"*>
>>
>> Sorry i am not clear to implement this configuration my application as i
>> am not running any jetty configuration at all.
>>
>> Could you please elaborate the explanation towards configuration files to
>> hide the JSESSIONID in my simple spring & shiro based web application.
>>
>>
>>
>>
>> On Fri, Jul 10, 2015 at 12:58 PM, Rui Tang <ta...@gmail.com> wrote:
>>
>>> <session-config> is available for servlet 3.0. If you use web containers
>>> that support lower version, you have to config it via container's config.
>>>
>>> E.g. for jetty,
>>> http://www.eclipse.org/jetty/documentation/current/session-management.html
>>>
>>> On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma <
>>> nagaraju.kurma@enhancesys.com> wrote:
>>>
>>>> Hello Team,
>>>>
>>>> Thanks for your valuable time spending.
>>>>
>>>> *1) Session Fixation*
>>>>
>>>> Implemented the same as the above link describes, Its working fine but
>>>> it is like out side of the framework and not developer friendly. As this is
>>>> a high security concern some where we need to have a configuration as part
>>>> of shiro only.
>>>>
>>>> *2) Session Token in url*
>>>>
>>>> I am having one more question that on first request after session got
>>>> started *JSESSIONID *is appending in the url as follows
>>>>
>>>>
>>>> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
>>>>
>>>> This is also one of the security concern, How to resolve it? Anybody
>>>> having any work around about this?
>>>>
>>>> I am working with spring & shiro so i tried with the following
>>>> configuration but got failed.
>>>>
>>>> <session-config>
>>>> <tracking-mode>COOKIE</tracking-mode>
>>>> </session-config>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <ta...@gmail.com>
>>>> wrote:
>>>>
>>>>> Here's an issue about this problem.
>>>>>
>>>>> https://issues.apache.org/jira/browse/SHIRO-170
>>>>>
>>>>> Even though it hasn't been fixed, but in comment, there's some
>>>>> workaround.
>>>>>
>>>>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
>>>>> nagaraju.kurma@enhancesys.com> wrote:
>>>>>
>>>>>> Hi Team,
>>>>>>
>>>>>> Is there any workaround on this?
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Thanks & Regards
>>>>>>
>>>>>> Nagaraju Kurma
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> 唐睿
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Thanks & Regards
>>>>
>>>> Nagaraju Kurma
>>>>
>>>
>>>
>>>
>>> --
>>> 唐睿
>>>
>>
>>
>>
>> --
>>
>> Thanks & Regards
>>
>> Nagaraju Kurma
>>
>
>
>
> --
> 唐睿
>
--
Thanks & Regards
Nagaraju Kurma
Re: Force new session id on authentication
Posted by Rui Tang <ta...@gmail.com>.
It's not about what the version number in web.xml, but the really servlet
version that your container supports. If your container only supports
servlet 2.5, the way you write the web.xml will not work.
Can you tell me what your web container is? Tomcat or such as Weblogic?
On Fri, Jul 10, 2015 at 3:55 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> Hello Rui Tang,
>
> I am using servlet 3.0 only and my web.xml as follows.
>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
> *version="3.0"*>
>
> Sorry i am not clear to implement this configuration my application as i
> am not running any jetty configuration at all.
>
> Could you please elaborate the explanation towards configuration files to
> hide the JSESSIONID in my simple spring & shiro based web application.
>
>
>
>
> On Fri, Jul 10, 2015 at 12:58 PM, Rui Tang <ta...@gmail.com> wrote:
>
>> <session-config> is available for servlet 3.0. If you use web containers
>> that support lower version, you have to config it via container's config.
>>
>> E.g. for jetty,
>> http://www.eclipse.org/jetty/documentation/current/session-management.html
>>
>> On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma <
>> nagaraju.kurma@enhancesys.com> wrote:
>>
>>> Hello Team,
>>>
>>> Thanks for your valuable time spending.
>>>
>>> *1) Session Fixation*
>>>
>>> Implemented the same as the above link describes, Its working fine but
>>> it is like out side of the framework and not developer friendly. As this is
>>> a high security concern some where we need to have a configuration as part
>>> of shiro only.
>>>
>>> *2) Session Token in url*
>>>
>>> I am having one more question that on first request after session got
>>> started *JSESSIONID *is appending in the url as follows
>>>
>>>
>>> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
>>>
>>> This is also one of the security concern, How to resolve it? Anybody
>>> having any work around about this?
>>>
>>> I am working with spring & shiro so i tried with the following
>>> configuration but got failed.
>>>
>>> <session-config>
>>> <tracking-mode>COOKIE</tracking-mode>
>>> </session-config>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <ta...@gmail.com> wrote:
>>>
>>>> Here's an issue about this problem.
>>>>
>>>> https://issues.apache.org/jira/browse/SHIRO-170
>>>>
>>>> Even though it hasn't been fixed, but in comment, there's some
>>>> workaround.
>>>>
>>>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
>>>> nagaraju.kurma@enhancesys.com> wrote:
>>>>
>>>>> Hi Team,
>>>>>
>>>>> Is there any workaround on this?
>>>>>
>>>>> --
>>>>>
>>>>> Thanks & Regards
>>>>>
>>>>> Nagaraju Kurma
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> 唐睿
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Thanks & Regards
>>>
>>> Nagaraju Kurma
>>>
>>
>>
>>
>> --
>> 唐睿
>>
>
>
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>
--
唐睿
Re: Force new session id on authentication
Posted by Nagaraju Kurma <na...@enhancesys.com>.
Hello Rui Tang,
I am using servlet 3.0 only and my web.xml as follows.
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
*version="3.0"*>
Sorry i am not clear to implement this configuration my application as i am
not running any jetty configuration at all.
Could you please elaborate the explanation towards configuration files to
hide the JSESSIONID in my simple spring & shiro based web application.
On Fri, Jul 10, 2015 at 12:58 PM, Rui Tang <ta...@gmail.com> wrote:
> <session-config> is available for servlet 3.0. If you use web containers
> that support lower version, you have to config it via container's config.
>
> E.g. for jetty,
> http://www.eclipse.org/jetty/documentation/current/session-management.html
>
> On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma <
> nagaraju.kurma@enhancesys.com> wrote:
>
>> Hello Team,
>>
>> Thanks for your valuable time spending.
>>
>> *1) Session Fixation*
>>
>> Implemented the same as the above link describes, Its working fine but it
>> is like out side of the framework and not developer friendly. As this is a
>> high security concern some where we need to have a configuration as part of
>> shiro only.
>>
>> *2) Session Token in url*
>>
>> I am having one more question that on first request after session got
>> started *JSESSIONID *is appending in the url as follows
>>
>>
>> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
>>
>> This is also one of the security concern, How to resolve it? Anybody
>> having any work around about this?
>>
>> I am working with spring & shiro so i tried with the following
>> configuration but got failed.
>>
>> <session-config>
>> <tracking-mode>COOKIE</tracking-mode>
>> </session-config>
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <ta...@gmail.com> wrote:
>>
>>> Here's an issue about this problem.
>>>
>>> https://issues.apache.org/jira/browse/SHIRO-170
>>>
>>> Even though it hasn't been fixed, but in comment, there's some
>>> workaround.
>>>
>>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
>>> nagaraju.kurma@enhancesys.com> wrote:
>>>
>>>> Hi Team,
>>>>
>>>> Is there any workaround on this?
>>>>
>>>> --
>>>>
>>>> Thanks & Regards
>>>>
>>>> Nagaraju Kurma
>>>>
>>>
>>>
>>>
>>> --
>>> 唐睿
>>>
>>
>>
>>
>> --
>>
>> Thanks & Regards
>>
>> Nagaraju Kurma
>>
>
>
>
> --
> 唐睿
>
--
Thanks & Regards
Nagaraju Kurma
Re: Force new session id on authentication
Posted by Rui Tang <ta...@gmail.com>.
<session-config> is available for servlet 3.0. If you use web containers
that support lower version, you have to config it via container's config.
E.g. for jetty,
http://www.eclipse.org/jetty/documentation/current/session-management.html
On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> Hello Team,
>
> Thanks for your valuable time spending.
>
> *1) Session Fixation*
>
> Implemented the same as the above link describes, Its working fine but it
> is like out side of the framework and not developer friendly. As this is a
> high security concern some where we need to have a configuration as part of
> shiro only.
>
> *2) Session Token in url*
>
> I am having one more question that on first request after session got
> started *JSESSIONID *is appending in the url as follows
>
>
> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
>
> This is also one of the security concern, How to resolve it? Anybody
> having any work around about this?
>
> I am working with spring & shiro so i tried with the following
> configuration but got failed.
>
> <session-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
>
>
>
>
>
>
> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <ta...@gmail.com> wrote:
>
>> Here's an issue about this problem.
>>
>> https://issues.apache.org/jira/browse/SHIRO-170
>>
>> Even though it hasn't been fixed, but in comment, there's some workaround.
>>
>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
>> nagaraju.kurma@enhancesys.com> wrote:
>>
>>> Hi Team,
>>>
>>> Is there any workaround on this?
>>>
>>> --
>>>
>>> Thanks & Regards
>>>
>>> Nagaraju Kurma
>>>
>>
>>
>>
>> --
>> 唐睿
>>
>
>
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>
--
唐睿
Re: Force new session id on authentication
Posted by Nagaraju Kurma <na...@enhancesys.com>.
Hello Team,
Thanks for your valuable time spending.
*1) Session Fixation*
Implemented the same as the above link describes, Its working fine but it
is like out side of the framework and not developer friendly. As this is a
high security concern some where we need to have a configuration as part of
shiro only.
*2) Session Token in url*
I am having one more question that on first request after session got
started *JSESSIONID *is appending in the url as follows
http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad
This is also one of the security concern, How to resolve it? Anybody having
any work around about this?
I am working with spring & shiro so i tried with the following
configuration but got failed.
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <ta...@gmail.com> wrote:
> Here's an issue about this problem.
>
> https://issues.apache.org/jira/browse/SHIRO-170
>
> Even though it hasn't been fixed, but in comment, there's some workaround.
>
> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
> nagaraju.kurma@enhancesys.com> wrote:
>
>> Hi Team,
>>
>> Is there any workaround on this?
>>
>> --
>>
>> Thanks & Regards
>>
>> Nagaraju Kurma
>>
>
>
>
> --
> 唐睿
>
--
Thanks & Regards
Nagaraju Kurma
Re: Force new session id on authentication
Posted by Rui Tang <ta...@gmail.com>.
Here's an issue about this problem.
https://issues.apache.org/jira/browse/SHIRO-170
Even though it hasn't been fixed, but in comment, there's some workaround.
On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> Hi Team,
>
> Is there any workaround on this?
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>
--
唐睿