You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by shableh <nc...@gmail.com> on 2014/08/21 15:43:37 UTC
JSESSION id being put in the URL
Hey all,
I know there have been a few topics on this but none of them have seemed to
come up with a 'real' solution that works for me. Essentially I've been
noticing that the JSESSION id is getting put in the URL on failed login
attempts, or when the session has expired and they are kicked out back to
the login screen. I'd very much like to not have that JSESSION id getting
put in the URL and I'm not sure what else I need to configure.
Here is my shiro.ini
[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 30000
securityManager.sessionManager.sessionDAO = $sessionStore
securityManager.sessionManager.sessionIdCookieEnabled = true
authc.loginUrl = /
[urls]
/error.jsp = anon
/resources/** = anon
/REST/** = authc, indexFilter
/logout = logout
/ = authc, indexFilter
And here is my shortened web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>skydropadmin</display-name>
<context-param>
<param-name>shiroEnvironmentClass</param-name>
<param-value>org.ops4j.pax.shiro.cdi.web.CdiIniWebEnvironment</param-value>
</context-param>
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index</welcome-file>
</welcome-file-list>
<resource-env-ref>
<resource-env-ref-name>BeanManager</resource-env-ref-name>
<resource-env-ref-type>javax.enterprise.inject.spi.BeanManager</resource-env-ref-type>
</resource-env-ref>
</web-app>
So I've got the tracking mode set to cookie inside the web.xml, and the
securityManager.sessionManager.sessionIdCookieEnabled = true
line inside the shiro.ini, but I'm still getting the JSESSION id in the URL.
I'm using Tomcat 7, servlet 3.0 and shiro 1.2.3. Any help on this would be
greatly appreciated!
--
View this message in context: http://shiro-user.582556.n2.nabble.com/JSESSION-id-being-put-in-the-URL-tp7580163.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: JSESSION id being put in the URL
Posted by KonradZuse <Th...@hotmail.com>.
I don't know if you have to use the sessionManager, but you could most likely
get rid of that and that will get rid of all that on top. I also noticed
that in production code you need the EHCache Manager or else the Session
Manager wont appear up on the URL line, for me at least.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/JSESSION-id-being-put-in-the-URL-tp7580163p7580165.html
Sent from the Shiro User mailing list archive at Nabble.com.