Hi Gareth, Great catch - yes, we should fall back to checking path parameters if the request param check fails. Please open a Jira!
Thanks, Les On Thu, Mar 22, 2012 at 9:11 PM, gcollins <[email protected]> wrote: > Hello Les, > > I am using Jetty 7.5.4 (as part of Pax Web which is installed as part of > Apache Karaf). > > Thanks for the Servlet 2.5 reference. So if Shiro is adding the JSESSIONID > in a servlet compliant way, then then the code in the getReferencedSessionId > method from org.apache.shiro.web.session.mgt.DefaultWebSessionManager > appears incorrect (the full code sample is in my above post). The code for > getting the session from the URL is this: > > //not in a cookie, or cookie is disabled - try the request > params as a fallback (i.e. URL rewriting): > id = > request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME); > if (id == null) { > //try lowercase: > id = > request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME.toLowerCase()); > } > . > . > > request.getParameter() gets http parameters, not URL path parameters (like > ";JSESSIONID=") so Shiro will always fail to extract the JSESSIONID. This > link tends to suggest that there is no API in the Servlet spec which can > extract URL path parameters. Instead the full path needs to be retrieved via > getRequestURI() and the path parameter is then extracted manually: > > https://cdivilly.wordpress.com/2011/04/22/java-servlets-uri-parameters/ > > Does this appear correct? Should I add the JIRA? I could even try and fix > it... > > thanks in advance, > Gareth > > > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Shiro-Native-Sessions-JSESSIONID-or-JSESSIONID-tp7367217p7397601.html > Sent from the Shiro User mailing list archive at Nabble.com.
