Philipp Kapfer created SHIRO-639:
------------------------------------
Summary: Refresh cached session in HTTP request after user logs out
Key: SHIRO-639
URL: https://issues.apache.org/jira/browse/SHIRO-639
Project: Shiro
Issue Type: Bug
Components: Authentication (log-in), Subject, Web
Affects Versions: 1.3.2
Environment: Jetty 9.4.5, Wicket 7.7.0
Reporter: Philipp Kapfer
Attachments: ShiroHttpServletRequest.patch
For native session management in web environments, the
_ShiroHttpServletRequest_ caches calls to _getSession()_ by saving a copy of
the current subject's session to a member variable. This copy is never updated
even when the subject logs out and the session is destroyed.
When the session is accessed again after logout, an {{UnknownSessionException}}
can be thrown because the session referenced in the request is not physically
available anymore (this could be the cause for
[SHIRO-614|https://issues.apache.org/jira/browse/SHIRO-614]).
The Shiro HTTP request therefore has to check the state of the cached session
and refresh it if necessary, just as the original Jetty Request class does as
well.
Please see the attached patch for a possible solution that Works For Me™
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
