Hi sb. Did you set the "cipherKey" to the same value (or a value at all) on all your instances?
See: https://shiro.apache.org/configuration.html Also, if you have multiple servers, you'd either need to configure session stickyness (eg via Loadbalancer and JSESSIONID) and/or a distributed session cache. The documentation needs updates in this regard. Can you please check that you have set such a cipherKey? - Ben On Sat, 19 Feb 2022, 10:59 Steinar Bang, <s...@dod.no> wrote: > Platform: amd64, debian 11.2 "bullseye", openjdk 11.0.14, > karaf 4.3.6, shiro 1.7.0 > > This a problem I have with shiro that appears and then disappears as > mysteriously has it appears and "out of sight, out of mind". > > But today I have decided to dig a little bit deeper. > > Most of the time shiro works for me. But from time to time I run into a > problem that requires me to do frequent logins. > > I.e. when shiro is the "gateway" to a SPA then entry works fine, but if > I e.g. do a reload of the application I'm redirected to the login page > and have to log in again. > > When this happens, I see a lot of the following in karaf.log: > https://gist.github.com/steinarb/9d5240e78b0a177a115d3c10540fa1a4 > > Also, if I try a different browser, or if I try an incognito window of > the same browser, authentication seems to work normally, and without the > frequent login error. > > But when I try clearing the cookies of the browser with the problem > (which should have the same effect...?) it doesn't help. > > I have googled for the error message without finding anything useful. I > have also visited the suggested URL > https://shiro.apache.org/web.html#remember_me_services > without understanding much more. > > Is my problem that I am trying to remember a cookie without having set > an encryption key? But if so: why does it sometimes seem to work. > > I have grepped my code for "rememberMe" and "RememberMe" and haven't > found any matches, so that flag on the token I have not set. >