[jira] [Commented] (SHIRO-795) Disable session path rewriting by default

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SHIRO-795) Disable session path rewriting by default

Benjamin Marwell (Jira)

    [ https://issues.apache.org/jira/browse/SHIRO-795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220117#comment-17220117 ]

Mahendran Mookkiah commented on SHIRO-795:

Thanks [~bdemers]. 

I am trying to understand the "Why?" part of this implementation.

If it is a security concern, I see [https://www.zaproxy.org/docs/alerts/3/] says "To be even more secure consider using a combination of cookie and URL rewrite". If this statement from OWASP community is true, I am curious what triggers to make this change?


> Disable session path rewriting by default
> -----------------------------------------
>                 Key: SHIRO-795
>                 URL: https://issues.apache.org/jira/browse/SHIRO-795
>             Project: Shiro
>          Issue Type: Improvement
>            Reporter: Brian Demers
>            Priority: Major
>             Fix For: 2.0.0, 1.7.0
> After the addition of the "Invalid Request Filter", URL session rewriting is disabled.
> {code:java}
> # Enable the configuraiton in the session manager
> sessionManager.sessionIdUrlRewritingEnabled = true
> # and the invalid request filter
> invalidRequest.blockSemicolon = false{code}

This message was sent by Atlassian Jira