You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Bengt Rodehav <be...@rodehav.com> on 2012/06/18 15:58:57 UTC
Using a different cookie name than JSESSIONID
I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
Often I install more than one web application on the same server (but using
different ports). These applications are unrelated. However if I open them
in separate tabs in the web browser they start interfering with each other.
Imagine this scenario:
- Web application A and B are both installed on the same server.
- Open the URL to application A in the first tab in the web browser and
then log in
- Open the URL to application B in the second tab in the web browser and
then log in
- Go back to the first tab in the web browser and issue a request. I then
have to log in again since the server does not recognize the session id.
I haven't debugged this thoroughly but I think the problem is that the same
cookie name (JSESSIONID) is used by both web applications. Therefore, the
second log in (to application B) will overwrite the session id from the
first log in.
I'm not sure if I'm doing something wrong here - this seems like a very
common scenario (especially in a test environment). The obvious solution
would be to make the name of the session cookie configurable so that
application A could use a cookie called "JSESSIONID_A" and application B
could use a cookie called "JSESSIONID_B". Is this possible with Shiro? Is
there another/better way to solve this problem?
/Bengt
Re: Using a different cookie name than JSESSIONID
Posted by Bengt Rodehav <be...@rodehav.com>.
Works perfectly - thanks a lot!
/Bengt
2012/6/29 Jared Bunting <ja...@peachjean.com>
> The default is hardcoded, but the Cookie class has a "setName" method.
> It looks like I got the setter wrong for the DefaultWebSessionManager.
> How about this?
>
> securityManager.sessionManager.sessionIdCookie.name
>
> On Fri 29 Jun 2012 06:58:00 AM CDT, Bengt Rodehav wrote:
> > I've been browsing through the Shiro 1.1 source code and I see this:
> >
> > /public DefaultWebSessionManager() {/
> > / Cookie cookie = new
> > SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);/
> > / cookie.setHttpOnly(true); //more secure, protects against XSS
> > attacks/
> > / this.sessionIdCookie = cookie;/
> > / this.sessionIdCookieEnabled = true;/
> > / }/
> >
> > It looks like the name of the session cookie is hard coded. Am I
> > looking in the wrong place?
> >
> > /Bengt
> >
> >
> > 2012/6/29 Bengt Rodehav <bengt@rodehav.com <ma...@rodehav.com>>
> >
> > Hello again Jared,
> >
> > After reading this:
> >
> >
> http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific
> >
> > it seems that cookies are reused between different ports on the
> > same server (strange behaviour). I'v also verified this while
> > debugging in Chrome. I therefore intend to encode the port in the
> > name of the session cookie, e g JSESSIONID_8081.
> >
> > However I cant seem to be get your advice to work. I've tried:
> >
> > - securityManager.sessionManager.cookie.name
> > <http://securityManager.sessionManager.cookie.name>
> > - securityManager.sessionManager.cookieName
> >
> > But there is no such property. I also cannot see the property when
> > looking in the code. Did I misenterpret you? Remember I'm using
> > Shiro 1.1 (not 1.2).
> >
> > /Bengt
> >
> > 2012/6/20 Bengt Rodehav <bengt@rodehav.com <mailto:bengt@rodehav.com
> >>
> >
> > Thanks a lot for you reply Jared,
> >
> > I'm using native Shiro sessions. Will try setting the property
> > you suggest - thanks!
> >
> > I'll also check whether the cookies really interfer - I
> > haven't investigated it thoroughly yet. I just noted that if I
> > log into another application on the same host (but different
> > ports) then the first application is logged out. I then
> > assumed that the session cookies overwrote each other but I
> > honestly don't know if that is the case.
> >
> > Whether the port is part of the "key" for the cookie could
> > perhaps be browser specific. I've only tested this on Chrome yet.
> >
> > /Bengt
> >
> >
> > 2012/6/20 Jared Bunting <jared.bunting@peachjean.com
> > <ma...@peachjean.com>>
> >
> > Are you using native shiro sessions or container-managed
> > sessions? If
> > native shiro sessions, you should be able to do something
> > like this in
> > shiro.ini:
> >
> > sessionManager.cookie.name
> > <http://sessionManager.cookie.name>=JSESSIONID_A
> >
> > Otherwise, you would need to consult your container to
> > figure out how
> > to change the cookie name.
> >
> > However, it seems odd to me that cookies for apps on
> > different ports
> > would interfere with each other.
> >
> > -Jared
> >
> > On Wed 20 Jun 2012 01:48:27 PM CDT, Bengt Rodehav wrote:
> > > Does no one has any advice regarding this? I was hoping
> > it was a not
> > > so uncommon issue.
> > >
> > > /Bengt
> > >
> > > 2012/6/18 Bengt Rodehav <bengt@rodehav.com
> > <ma...@rodehav.com> <mailto:bengt@rodehav.com
> > <ma...@rodehav.com>>>
> > >
> > > I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
> > >
> > > Often I install more than one web application on the
> > same server
> > > (but using different ports). These applications are
> > unrelated.
> > > However if I open them in separate tabs in the web
> > browser they
> > > start interfering with each other. Imagine this
> > scenario:
> > >
> > > - Web application A and B are both installed on the
> > same server.
> > > - Open the URL to application A in the first tab in
> > the web
> > > browser and then log in
> > > - Open the URL to application B in the second tab in
> > the web
> > > browser and then log in
> > > - Go back to the first tab in the web browser and
> > issue a request.
> > > I then have to log in again since the server does
> > not recognize
> > > the session id.
> > >
> > > I haven't debugged this thoroughly but I think the
> > problem is that
> > > the same cookie name (JSESSIONID) is used by both web
> > > applications. Therefore, the second log in (to
> > application B) will
> > > overwrite the session id from the first log in.
> > >
> > > I'm not sure if I'm doing something wrong here -
> > this seems like a
> > > very common scenario (especially in a test
> > environment). The
> > > obvious solution would be to make the name of the
> > session cookie
> > > configurable so that application A could use a
> > cookie called
> > > "JSESSIONID_A" and application B could use a cookie
> > called
> > > "JSESSIONID_B". Is this possible with Shiro? Is there
> > > another/better way to solve this problem?
> > >
> > > /Bengt
> > >
> > >
> >
> >
> >
> >
> >
>
>
>
Re: Using a different cookie name than JSESSIONID
Posted by Jared Bunting <ja...@peachjean.com>.
The default is hardcoded, but the Cookie class has a "setName" method.
It looks like I got the setter wrong for the DefaultWebSessionManager.
How about this?
securityManager.sessionManager.sessionIdCookie.name
On Fri 29 Jun 2012 06:58:00 AM CDT, Bengt Rodehav wrote:
> I've been browsing through the Shiro 1.1 source code and I see this:
>
> /public DefaultWebSessionManager() {/
> / Cookie cookie = new
> SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);/
> / cookie.setHttpOnly(true); //more secure, protects against XSS
> attacks/
> / this.sessionIdCookie = cookie;/
> / this.sessionIdCookieEnabled = true;/
> / }/
>
> It looks like the name of the session cookie is hard coded. Am I
> looking in the wrong place?
>
> /Bengt
>
>
> 2012/6/29 Bengt Rodehav <bengt@rodehav.com <ma...@rodehav.com>>
>
> Hello again Jared,
>
> After reading this:
>
> http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific
>
> it seems that cookies are reused between different ports on the
> same server (strange behaviour). I'v also verified this while
> debugging in Chrome. I therefore intend to encode the port in the
> name of the session cookie, e g JSESSIONID_8081.
>
> However I cant seem to be get your advice to work. I've tried:
>
> - securityManager.sessionManager.cookie.name
> <http://securityManager.sessionManager.cookie.name>
> - securityManager.sessionManager.cookieName
>
> But there is no such property. I also cannot see the property when
> looking in the code. Did I misenterpret you? Remember I'm using
> Shiro 1.1 (not 1.2).
>
> /Bengt
>
> 2012/6/20 Bengt Rodehav <bengt@rodehav.com <ma...@rodehav.com>>
>
> Thanks a lot for you reply Jared,
>
> I'm using native Shiro sessions. Will try setting the property
> you suggest - thanks!
>
> I'll also check whether the cookies really interfer - I
> haven't investigated it thoroughly yet. I just noted that if I
> log into another application on the same host (but different
> ports) then the first application is logged out. I then
> assumed that the session cookies overwrote each other but I
> honestly don't know if that is the case.
>
> Whether the port is part of the "key" for the cookie could
> perhaps be browser specific. I've only tested this on Chrome yet.
>
> /Bengt
>
>
> 2012/6/20 Jared Bunting <jared.bunting@peachjean.com
> <ma...@peachjean.com>>
>
> Are you using native shiro sessions or container-managed
> sessions? If
> native shiro sessions, you should be able to do something
> like this in
> shiro.ini:
>
> sessionManager.cookie.name
> <http://sessionManager.cookie.name>=JSESSIONID_A
>
> Otherwise, you would need to consult your container to
> figure out how
> to change the cookie name.
>
> However, it seems odd to me that cookies for apps on
> different ports
> would interfere with each other.
>
> -Jared
>
> On Wed 20 Jun 2012 01:48:27 PM CDT, Bengt Rodehav wrote:
> > Does no one has any advice regarding this? I was hoping
> it was a not
> > so uncommon issue.
> >
> > /Bengt
> >
> > 2012/6/18 Bengt Rodehav <bengt@rodehav.com
> <ma...@rodehav.com> <mailto:bengt@rodehav.com
> <ma...@rodehav.com>>>
> >
> > I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
> >
> > Often I install more than one web application on the
> same server
> > (but using different ports). These applications are
> unrelated.
> > However if I open them in separate tabs in the web
> browser they
> > start interfering with each other. Imagine this
> scenario:
> >
> > - Web application A and B are both installed on the
> same server.
> > - Open the URL to application A in the first tab in
> the web
> > browser and then log in
> > - Open the URL to application B in the second tab in
> the web
> > browser and then log in
> > - Go back to the first tab in the web browser and
> issue a request.
> > I then have to log in again since the server does
> not recognize
> > the session id.
> >
> > I haven't debugged this thoroughly but I think the
> problem is that
> > the same cookie name (JSESSIONID) is used by both web
> > applications. Therefore, the second log in (to
> application B) will
> > overwrite the session id from the first log in.
> >
> > I'm not sure if I'm doing something wrong here -
> this seems like a
> > very common scenario (especially in a test
> environment). The
> > obvious solution would be to make the name of the
> session cookie
> > configurable so that application A could use a
> cookie called
> > "JSESSIONID_A" and application B could use a cookie
> called
> > "JSESSIONID_B". Is this possible with Shiro? Is there
> > another/better way to solve this problem?
> >
> > /Bengt
> >
> >
>
>
>
>
>
Re: Using a different cookie name than JSESSIONID
Posted by Bengt Rodehav <be...@rodehav.com>.
I've been browsing through the Shiro 1.1 source code and I see this:
*public DefaultWebSessionManager() {*
* Cookie cookie = new
SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);*
* cookie.setHttpOnly(true); //more secure, protects against XSS
attacks*
* this.sessionIdCookie = cookie;*
* this.sessionIdCookieEnabled = true;*
* }*
It looks like the name of the session cookie is hard coded. Am I looking in
the wrong place?
/Bengt
2012/6/29 Bengt Rodehav <be...@rodehav.com>
> Hello again Jared,
>
> After reading this:
>
> http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific
>
> it seems that cookies are reused between different ports on the same
> server (strange behaviour). I'v also verified this while debugging in
> Chrome. I therefore intend to encode the port in the name of the session
> cookie, e g JSESSIONID_8081.
>
> However I cant seem to be get your advice to work. I've tried:
>
> - securityManager.sessionManager.cookie.name
> - securityManager.sessionManager.cookieName
>
> But there is no such property. I also cannot see the property when looking
> in the code. Did I misenterpret you? Remember I'm using Shiro 1.1 (not 1.2).
>
> /Bengt
>
> 2012/6/20 Bengt Rodehav <be...@rodehav.com>
>
>> Thanks a lot for you reply Jared,
>>
>> I'm using native Shiro sessions. Will try setting the property you
>> suggest - thanks!
>>
>> I'll also check whether the cookies really interfer - I haven't
>> investigated it thoroughly yet. I just noted that if I log into another
>> application on the same host (but different ports) then the first
>> application is logged out. I then assumed that the session cookies
>> overwrote each other but I honestly don't know if that is the case.
>>
>> Whether the port is part of the "key" for the cookie could perhaps be
>> browser specific. I've only tested this on Chrome yet.
>>
>> /Bengt
>>
>>
>> 2012/6/20 Jared Bunting <ja...@peachjean.com>
>>
>>> Are you using native shiro sessions or container-managed sessions? If
>>> native shiro sessions, you should be able to do something like this in
>>> shiro.ini:
>>>
>>> sessionManager.cookie.name=JSESSIONID_A
>>>
>>> Otherwise, you would need to consult your container to figure out how
>>> to change the cookie name.
>>>
>>> However, it seems odd to me that cookies for apps on different ports
>>> would interfere with each other.
>>>
>>> -Jared
>>>
>>> On Wed 20 Jun 2012 01:48:27 PM CDT, Bengt Rodehav wrote:
>>> > Does no one has any advice regarding this? I was hoping it was a not
>>> > so uncommon issue.
>>> >
>>> > /Bengt
>>> >
>>> > 2012/6/18 Bengt Rodehav <bengt@rodehav.com <ma...@rodehav.com>>
>>> >
>>> > I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
>>> >
>>> > Often I install more than one web application on the same server
>>> > (but using different ports). These applications are unrelated.
>>> > However if I open them in separate tabs in the web browser they
>>> > start interfering with each other. Imagine this scenario:
>>> >
>>> > - Web application A and B are both installed on the same server.
>>> > - Open the URL to application A in the first tab in the web
>>> > browser and then log in
>>> > - Open the URL to application B in the second tab in the web
>>> > browser and then log in
>>> > - Go back to the first tab in the web browser and issue a request.
>>> > I then have to log in again since the server does not recognize
>>> > the session id.
>>> >
>>> > I haven't debugged this thoroughly but I think the problem is that
>>> > the same cookie name (JSESSIONID) is used by both web
>>> > applications. Therefore, the second log in (to application B) will
>>> > overwrite the session id from the first log in.
>>> >
>>> > I'm not sure if I'm doing something wrong here - this seems like a
>>> > very common scenario (especially in a test environment). The
>>> > obvious solution would be to make the name of the session cookie
>>> > configurable so that application A could use a cookie called
>>> > "JSESSIONID_A" and application B could use a cookie called
>>> > "JSESSIONID_B". Is this possible with Shiro? Is there
>>> > another/better way to solve this problem?
>>> >
>>> > /Bengt
>>> >
>>> >
>>>
>>>
>>>
>>
>
Re: Using a different cookie name than JSESSIONID
Posted by Bengt Rodehav <be...@rodehav.com>.
Hello again Jared,
After reading this:
http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific
it seems that cookies are reused between different ports on the same server
(strange behaviour). I'v also verified this while debugging in Chrome. I
therefore intend to encode the port in the name of the session cookie, e g
JSESSIONID_8081.
However I cant seem to be get your advice to work. I've tried:
- securityManager.sessionManager.cookie.name
- securityManager.sessionManager.cookieName
But there is no such property. I also cannot see the property when looking
in the code. Did I misenterpret you? Remember I'm using Shiro 1.1 (not 1.2).
/Bengt
2012/6/20 Bengt Rodehav <be...@rodehav.com>
> Thanks a lot for you reply Jared,
>
> I'm using native Shiro sessions. Will try setting the property you suggest
> - thanks!
>
> I'll also check whether the cookies really interfer - I haven't
> investigated it thoroughly yet. I just noted that if I log into another
> application on the same host (but different ports) then the first
> application is logged out. I then assumed that the session cookies
> overwrote each other but I honestly don't know if that is the case.
>
> Whether the port is part of the "key" for the cookie could perhaps be
> browser specific. I've only tested this on Chrome yet.
>
> /Bengt
>
>
> 2012/6/20 Jared Bunting <ja...@peachjean.com>
>
>> Are you using native shiro sessions or container-managed sessions? If
>> native shiro sessions, you should be able to do something like this in
>> shiro.ini:
>>
>> sessionManager.cookie.name=JSESSIONID_A
>>
>> Otherwise, you would need to consult your container to figure out how
>> to change the cookie name.
>>
>> However, it seems odd to me that cookies for apps on different ports
>> would interfere with each other.
>>
>> -Jared
>>
>> On Wed 20 Jun 2012 01:48:27 PM CDT, Bengt Rodehav wrote:
>> > Does no one has any advice regarding this? I was hoping it was a not
>> > so uncommon issue.
>> >
>> > /Bengt
>> >
>> > 2012/6/18 Bengt Rodehav <bengt@rodehav.com <ma...@rodehav.com>>
>> >
>> > I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
>> >
>> > Often I install more than one web application on the same server
>> > (but using different ports). These applications are unrelated.
>> > However if I open them in separate tabs in the web browser they
>> > start interfering with each other. Imagine this scenario:
>> >
>> > - Web application A and B are both installed on the same server.
>> > - Open the URL to application A in the first tab in the web
>> > browser and then log in
>> > - Open the URL to application B in the second tab in the web
>> > browser and then log in
>> > - Go back to the first tab in the web browser and issue a request.
>> > I then have to log in again since the server does not recognize
>> > the session id.
>> >
>> > I haven't debugged this thoroughly but I think the problem is that
>> > the same cookie name (JSESSIONID) is used by both web
>> > applications. Therefore, the second log in (to application B) will
>> > overwrite the session id from the first log in.
>> >
>> > I'm not sure if I'm doing something wrong here - this seems like a
>> > very common scenario (especially in a test environment). The
>> > obvious solution would be to make the name of the session cookie
>> > configurable so that application A could use a cookie called
>> > "JSESSIONID_A" and application B could use a cookie called
>> > "JSESSIONID_B". Is this possible with Shiro? Is there
>> > another/better way to solve this problem?
>> >
>> > /Bengt
>> >
>> >
>>
>>
>>
>
Re: Using a different cookie name than JSESSIONID
Posted by Bengt Rodehav <be...@rodehav.com>.
Thanks a lot for you reply Jared,
I'm using native Shiro sessions. Will try setting the property you suggest
- thanks!
I'll also check whether the cookies really interfer - I haven't
investigated it thoroughly yet. I just noted that if I log into another
application on the same host (but different ports) then the first
application is logged out. I then assumed that the session cookies
overwrote each other but I honestly don't know if that is the case.
Whether the port is part of the "key" for the cookie could perhaps be
browser specific. I've only tested this on Chrome yet.
/Bengt
2012/6/20 Jared Bunting <ja...@peachjean.com>
> Are you using native shiro sessions or container-managed sessions? If
> native shiro sessions, you should be able to do something like this in
> shiro.ini:
>
> sessionManager.cookie.name=JSESSIONID_A
>
> Otherwise, you would need to consult your container to figure out how
> to change the cookie name.
>
> However, it seems odd to me that cookies for apps on different ports
> would interfere with each other.
>
> -Jared
>
> On Wed 20 Jun 2012 01:48:27 PM CDT, Bengt Rodehav wrote:
> > Does no one has any advice regarding this? I was hoping it was a not
> > so uncommon issue.
> >
> > /Bengt
> >
> > 2012/6/18 Bengt Rodehav <bengt@rodehav.com <ma...@rodehav.com>>
> >
> > I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
> >
> > Often I install more than one web application on the same server
> > (but using different ports). These applications are unrelated.
> > However if I open them in separate tabs in the web browser they
> > start interfering with each other. Imagine this scenario:
> >
> > - Web application A and B are both installed on the same server.
> > - Open the URL to application A in the first tab in the web
> > browser and then log in
> > - Open the URL to application B in the second tab in the web
> > browser and then log in
> > - Go back to the first tab in the web browser and issue a request.
> > I then have to log in again since the server does not recognize
> > the session id.
> >
> > I haven't debugged this thoroughly but I think the problem is that
> > the same cookie name (JSESSIONID) is used by both web
> > applications. Therefore, the second log in (to application B) will
> > overwrite the session id from the first log in.
> >
> > I'm not sure if I'm doing something wrong here - this seems like a
> > very common scenario (especially in a test environment). The
> > obvious solution would be to make the name of the session cookie
> > configurable so that application A could use a cookie called
> > "JSESSIONID_A" and application B could use a cookie called
> > "JSESSIONID_B". Is this possible with Shiro? Is there
> > another/better way to solve this problem?
> >
> > /Bengt
> >
> >
>
>
>
Re: Using a different cookie name than JSESSIONID
Posted by Jared Bunting <ja...@peachjean.com>.
Are you using native shiro sessions or container-managed sessions? If
native shiro sessions, you should be able to do something like this in
shiro.ini:
sessionManager.cookie.name=JSESSIONID_A
Otherwise, you would need to consult your container to figure out how
to change the cookie name.
However, it seems odd to me that cookies for apps on different ports
would interfere with each other.
-Jared
On Wed 20 Jun 2012 01:48:27 PM CDT, Bengt Rodehav wrote:
> Does no one has any advice regarding this? I was hoping it was a not
> so uncommon issue.
>
> /Bengt
>
> 2012/6/18 Bengt Rodehav <bengt@rodehav.com <ma...@rodehav.com>>
>
> I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
>
> Often I install more than one web application on the same server
> (but using different ports). These applications are unrelated.
> However if I open them in separate tabs in the web browser they
> start interfering with each other. Imagine this scenario:
>
> - Web application A and B are both installed on the same server.
> - Open the URL to application A in the first tab in the web
> browser and then log in
> - Open the URL to application B in the second tab in the web
> browser and then log in
> - Go back to the first tab in the web browser and issue a request.
> I then have to log in again since the server does not recognize
> the session id.
>
> I haven't debugged this thoroughly but I think the problem is that
> the same cookie name (JSESSIONID) is used by both web
> applications. Therefore, the second log in (to application B) will
> overwrite the session id from the first log in.
>
> I'm not sure if I'm doing something wrong here - this seems like a
> very common scenario (especially in a test environment). The
> obvious solution would be to make the name of the session cookie
> configurable so that application A could use a cookie called
> "JSESSIONID_A" and application B could use a cookie called
> "JSESSIONID_B". Is this possible with Shiro? Is there
> another/better way to solve this problem?
>
> /Bengt
>
>
Re: Using a different cookie name than JSESSIONID
Posted by Bengt Rodehav <be...@rodehav.com>.
Does no one has any advice regarding this? I was hoping it was a not so
uncommon issue.
/Bengt
2012/6/18 Bengt Rodehav <be...@rodehav.com>
> I'm using Shiro 1.1 running in Apache Karaf 2.2.5.
>
> Often I install more than one web application on the same server (but
> using different ports). These applications are unrelated. However if I open
> them in separate tabs in the web browser they start interfering with each
> other. Imagine this scenario:
>
> - Web application A and B are both installed on the same server.
> - Open the URL to application A in the first tab in the web browser and
> then log in
> - Open the URL to application B in the second tab in the web browser and
> then log in
> - Go back to the first tab in the web browser and issue a request. I then
> have to log in again since the server does not recognize the session id.
>
> I haven't debugged this thoroughly but I think the problem is that the
> same cookie name (JSESSIONID) is used by both web applications. Therefore,
> the second log in (to application B) will overwrite the session id from the
> first log in.
>
> I'm not sure if I'm doing something wrong here - this seems like a very
> common scenario (especially in a test environment). The obvious solution
> would be to make the name of the session cookie configurable so that
> application A could use a cookie called "JSESSIONID_A" and application B
> could use a cookie called "JSESSIONID_B". Is this possible with Shiro? Is
> there another/better way to solve this problem?
>
> /Bengt
>