[jira] [Comment Edited] (GEODE-2354) Use of security-manager results in UnknownSessionExceptions after 30 minutes idle

Fri, 27 Jan 2017 11:42:02 -0800 

    [ 
https://issues.apache.org/jira/browse/GEODE-2354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15843379#comment-15843379
 ] 

Swapnil Bawaskar edited comment on GEODE-2354 at 1/27/17 7:40 PM:
------------------------------------------------------------------

Adding my comment from review board:

Form this page (https://shiro.apache.org/session-management.html):
"By default, Shiro’s SessionManager implementations default to a 30-minute 
session timeout. That is, if any Session created remains idle (unused, where 
its lastAccessedTime isn’t updated) for 30 minutes or more, the Session is 
considered expired and will not be allowed to be used anymore.
You can set the default SessionManager implementation’s globalSessionTimeout 
property to define the default timeout value for all sessions. For example, if 
you wanted the timeout to be an hour instead of 30 minutes."

Given that, wouldn't a better fix be to update lastAccessedTime as opposed to 
never expiring a session?


was (Author: swapnil.bawaskar):
Adding my comment from review board:

Form this page (https://shiro.apache.org/session-management.html):
"By default, Shiro’s SessionManager implementations default to a 30-minute 
session timeout. That is, if any Session created remains idle (unused, where 
its lastAccessedTime isn’t updated) for 30 minutes or more, the Session is 
considered expired and will not be allowed to be used anymore.
You can set the default SessionManager implementation’s globalSessionTimeout 
property to define the default timeout value for all sessions. For example, if 
you wanted the timeout to be an hour instead of 30 minutes."

Given that wouldn't a better fix be to update lastAccessedTime as opposed to 
never expiring a session?

> Use of security-manager results in UnknownSessionExceptions after 30 minutes 
> idle
> ---------------------------------------------------------------------------------
>
>                 Key: GEODE-2354
>                 URL: https://issues.apache.org/jira/browse/GEODE-2354
>             Project: Geode
>          Issue Type: Bug
>          Components: security
>            Reporter: Kirk Lund
>            Assignee: Jinmei Liao
>
> If the User specifies a SecurityManager with security-manager, all authorized 
> operations start to fail with UnknownSessionExceptions after 30 minutes idle 
> which is the default globalSessionTimeout in Apache Shiro.
> Workaround: specify security-shiro-init in gemfire.properties and configure 
> everything via Shiro within a shiro.ini.
> Fixing this will require changes to IntegratedSecurityService to set the 
> globalSessionTimeout higher or to re-authenticate after a timeout.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to