Shiro, Spring application appending jsessionid to each URL

Question

I'm currently developing application with Spring and Shiro. I'm deploying to Tomcat 7 and in production I'm using nginx as reverse proxy. Everything works smoothly (well kind of) except that the jsessionid is added to each URL when accessing the application through nginx proxy.

When I use following nginx config:

server {
        server_name example.com www.example.com;
        listen 80;

        location /myapp {
                proxy_pass http://localhost:8080;
        }
}

I access the app through www.example.com/myapp, everything is fine then - no jsessionid in the URL

When I use following config:

server {
       server_name sub.example.com www.sub.example.com
       listen 80;
       location / {

              proxy_pass http://localhost:8080/myapp/;
}

I access the app through www.sub.example.com, and then I see the jsessionid added to each URL (even after successful login).

I found similar thread that advised to add following to the web.xml:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

That works - well, jsessionid is removed but I can't authenticate, which makes me think that there's a cookie configuration problem in nginx, any advices?

EDIT//: Found the solution, just need to add the following in the nginx config:

 proxy_cookie_path /myapp/ /;

Answer 1

For Shiro specifically I fixed this problem in our application with the following - You need to add

request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE);

in the request that creates the JSESSIONID cookie on the client. Basically telling shiro to use cookie source instead of urlrewriting to get the sessionids

The following doesn't work with Shiro's DefaultWebSessionManager. It only works with ServletContainerSessionManager

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>