[ https://issues.apache.org/jira/browse/SHIRO-637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francois Papon updated SHIRO-637: --------------------------------- Fix Version/s: 1.4.1 > Refresh cached session in HTTP request after user logs out > ---------------------------------------------------------- > > Key: SHIRO-637 > URL: https://issues.apache.org/jira/browse/SHIRO-637 > Project: Shiro > Issue Type: Bug > Components: Authentication (log-in), Subject, Web > Affects Versions: 1.3.2 > Reporter: Philipp Kapfer > Priority: Major > Labels: easyfix, patch > Fix For: 1.4.1 > > Attachments: ShiroHttpServletRequest.patch > > > For native session management in web environments, the > _ShiroHttpServletRequest_ caches calls to _getSession()_ by saving a copy of > the current subject's session to a member variable. This copy is never > updated even when the subject logs out and the session is destroyed. > When the session is accessed again after logout, an > {{UnknownSessionException}} can be thrown because the session referenced in > the request is not physically available anymore (this could be the cause for > [SHIRO-614|https://issues.apache.org/jira/browse/SHIRO-614]). > The Shiro HTTP request therefore has to check the state of the cached session > and refresh it if necessary, just as the original Jetty Request class does as > well. > Please see the attached patch for a possible solution that Works For Me™ -- This message was sent by Atlassian JIRA (v7.6.3#76005)