Les, I'm using native session (<property name="sessionMode" value="shiro"/>). For sure I'm not with the latest version of shiro... I'm using this snapshot for over two months. As you say it is unlikely that it is related to the last fixes, I'll try to keep this version, unless things do not get in line.
I just tested global timeout ( <property name="globalSessionTimeout" value="10000"/> ), but the session is not expiring as fast as I expected... it lasted minutes. Is a number as low as this accepted? I used 10s for testing... I plan to use something around 15 minutes. I use no listeners so far, but I guess they will do the job. As I said, I store some user data on the session (name, nick, company it works for...) and this data is put on the header of every page, so if the listener is called the first time the expired session is accessed, it will be fine. I'll try that right now... any problem, I'll bother you again! ;-) Thanks again! On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood <[email protected]>wrote: > Hi Mad, > > Are you using standard ServletContainer sessions? or Shiro's native > sessions? > > If using native sessions, ensure you're using the latest version of > Shiro - a few session-related bugs were fixed over the last month. I > doubt they would be related to what you're seeing, but at least its > worth a try. > > You can also set the global session timeout (for all sessions) setting > sessionManager.globalSessionTimeout = desiredMilliseconds. > > Also, you could implement a org.apache.shiro.session.SessionListener > to listen to session lifecycle events > (securityManager.setSessionListeners(Collection<SessionListener> > listeners); ). Note however that session validation (for expiration) > is done lazily: you won't receive an 'expiredSession' notification > the exact instant it expires. You'll receive the notification if an > expired session is ever accessed or the next time Shiro's session > validator executes (configurable - defaults to once per hour I think). > > Finally, if you want to know about logins and logouts, don't use a > SessionListener for this - use an > org.apache.shiro.authc.AuthenticationListener > > (securityManager.setAuthenticationListeners(Collection<AuthenticationListener> > listeners); ). > > Regards, > > Les > > On Fri, Aug 21, 2009 at 9:49 AM, mad rug<[email protected]> wrote: > > Hi > > I'm having some problem with my application. I use Shiro in a Spring MVC > > application much like the sample included with Shiro. I use Shiro > session, > > and I store some logged user data in it (user ID, company that user > belongs > > to, etc), but sometimes my app seem to be losing its session, like a > > timeout, but without long inactive periods. I notice it quickly because > my > > header pages contain the name of the user and its company name, and they > > suddenly are gone, even though I remain authenticated (<shiro:principal/> > > still returns the user principal). > > I don't know where I am missing some config to make the session last > > longer... how can I handle it? > > Moreover, does Shiro provide any facility to handle session timeout, and > > maybe redirect to some warning page? > > Thanks! >
