Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-565

On Successful Login Shiro adds two response header values for the same remember-me cookie name.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.2.3
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      On successful login, shiro adds two cookie entries one with deleteMe as value and other with the encrypted value.
      Though delete-me value cookie has expired state, it should not be resent in the header. As per the cookie spec, order of the response headers should not be relied upon.
      class : AbstractRememberMeManager
      method :
      public void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info)

      { //always clear any previous identity: forgetIdentity(subject); //now save the new identity: if (isRememberMe(token)) { rememberIdentity(subject, token, info); }

      else

      { if (log.isDebugEnabled()) { log.debug("AuthenticationToken did not indicate RememberMe is requested. " + "RememberMe functionality will not be executed for corresponding account."); }

      }
      }
      In the above code, forget identity happens every time. Better place is in the else condition(when isNotRememberMe).

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Amit.Yatagiri amit yatagiri
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: