Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-139

Cookie support refactoring - Simplify cookie configuration, support HttpOnly cookies and default session cookies to be HttpOnly = true

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0
    • Fix Version/s: 1.0.0
    • Component/s: Web
    • Labels:
      None

      Description

      It would also be prudent to refactor the cookie support in Shiro to

      1) remove the overly verbose and complex RequestAttribute / CookieRequestAttribute concepts. This existed as a way to shield Shiro from implementation details on how to persist and retrieve data across requests. It'd be better to allow end-users to just configure a Cookie pojo instance that is set on cookie-capable components which in turn use a mechanism to set/remove the cookie

      2) support the notion of HttpOnly cookies, which the servlet 2.4/2.5 does not support, but we could support with our own Cookie pojo used in configuration (see #1) which we set on the response header directly ( response.setHeader instead of response.addCookie)

      3) After adding #2, default Shiro's session cookie to be HttpOnly = true for added security to reduce XSS attacks.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lhazlewood Les Hazlewood
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3h
                3h
                Remaining:
                Remaining Estimate - 3h
                3h
                Logged:
                Time Spent - Not Specified
                Not Specified