It would also be prudent to refactor the cookie support in Shiro to
1) remove the overly verbose and complex RequestAttribute / CookieRequestAttribute concepts. This existed as a way to shield Shiro from implementation details on how to persist and retrieve data across requests. It'd be better to allow end-users to just configure a Cookie pojo instance that is set on cookie-capable components which in turn use a mechanism to set/remove the cookie
2) support the notion of HttpOnly cookies, which the servlet 2.4/2.5 does not support, but we could support with our own Cookie pojo used in configuration (see #1) which we set on the response header directly ( response.setHeader instead of response.addCookie)
3) After adding #2, default Shiro's session cookie to be HttpOnly = true for added security to reduce XSS attacks.