Alternative ways of transmitting session ID in Shiro

Question

I am not sure if I am using the right terminology, but I was looking at the documentation and trying to work out if I could achieve the following with Shiro:-

1. Allow the user to login via a post of JSON
2. Check credentials and send a session ID to the user (probably on the header)
3. For every subsequent request, send the session ID transmitted on the login response on the request header
4. Use a SessionDAO which stores the session data in the DB (thereby creating a "sessionless" application).

I know how to create the session DAO, but I wasn't sure how to set the current subject on a web application. Is this possible? Is there any reason not to do this?

Answer 1

If you need to manage a session then the application is not sessionless. That said, take a look at the [DefaultWebSessionManager].(https://github.com/apache/shiro/blob/master/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java). Though, if you are going through the hassle of setting a header anyway, you could just set the cookie header, and use this implementation as is.