[jira] [Commented] (SHIRO-795) Disable session path rewriting by default

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SHIRO-795) Disable session path rewriting by default

Benjamin Marwell (Jira)

    [ https://issues.apache.org/jira/browse/SHIRO-795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220122#comment-17220122 ]

Brian Demers commented on SHIRO-795:

IMHO, the "to be even more secure" part is not correct, rewriting is about compatibility (not improving security)


There are a few things at play here.

1.) as described in that link, putting session info in a URL exposes the id, server logs, javascript on page, etc

2.) Session rewriting is defined in section 7.1.3 Servlet Spec, [https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf] (and thus Shiro does need to support it).

3.) The last release of Shiro added functionality to block common URL escape attacks, (semicolons were included in that list). However, we did not update the rewrite feature's default settings.  This left the potential for a user whoe triggered URL rewriting, to also be blocked on their next request. (This change resolves that issue)


Does that answer your question?

> Disable session path rewriting by default
> -----------------------------------------
>                 Key: SHIRO-795
>                 URL: https://issues.apache.org/jira/browse/SHIRO-795
>             Project: Shiro
>          Issue Type: Improvement
>            Reporter: Brian Demers
>            Priority: Major
>             Fix For: 2.0.0, 1.7.0
> After the addition of the "Invalid Request Filter", URL session rewriting is disabled.
> {code:java}
> # Enable the configuraiton in the session manager
> sessionManager.sessionIdUrlRewritingEnabled = true
> # and the invalid request filter
> invalidRequest.blockSemicolon = false{code}

This message was sent by Atlassian Jira