You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Gabriel Titerlea <ga...@sync.ro> on 2016/10/13 06:19:19 UTC

Use an http header instead of a session cookie

Hello,

I want to use an http header instead of a cookie for session management.
I have a web-service which is accessed from a web client (web 
application) and from a desktop client (desktop application).
I want the desktop client to receive a session header which will be used 
for subsequent requests as a session id (Similar to OAuth authorization 
tokens).
The desktop client and the web client will send all requests with this 
session header instead of a cookie.

How can I make shiro look for a certain header and not for a cookie when 
determining whether an http request is authenticated or not?

Thank you,
Gabriel

Re: Use an http header instead of a session cookie

Posted by Gabriel Titerlea <ga...@sync.ro>.

I ended up implementing an AuthenticatingFilter which, after a 
successful login, sends back an access token.
And an AuthorizingFilter which looks for the presence of a valid access 
token in a certain http header.

Sorry for the low effort question.

On 13-Oct-16 09:19, Gabriel Titerlea wrote:
> Hello,
>
> I want to use an http header instead of a cookie for session management.
> I have a web-service which is accessed from a web client (web 
> application) and from a desktop client (desktop application).
> I want the desktop client to receive a session header which will be 
> used for subsequent requests as a session id (Similar to OAuth 
> authorization tokens).
> The desktop client and the web client will send all requests with this 
> session header instead of a cookie.
>
> How can I make shiro look for a certain header and not for a cookie 
> when determining whether an http request is authenticated or not?
>
> Thank you,
> Gabriel
>