good morning.
I don't know how to avoid this issue: Apache Shiro always creates a new session on every login page request. The behaviour I need is to create a session only after a successful log-in because on the contrary we have a security issue if on every login page request we have a new session.
Searching in Stakoverflow I found a similar issue and the proposal to solve this problem was to configure shiro.ini like this:
/login = authc
/logout = noSessionCreation, logout
/** = noSessionCreation, anon
But I've tried that and other configurations with no success.
Is there a solution to avoid this?
Any help would be much appreciated.
Thank you very much.