In that case you will want the latest snapshot version - now that I think about it, I think one of those bugs did affect session timeout.
On Fri, Aug 21, 2009 at 11:07 AM, mad rug<[email protected]> wrote: > Les, > I'm using native session (<property name="sessionMode" value="shiro"/>). For > sure I'm not with the latest version of shiro... I'm using this snapshot for > over two months. As you say it is unlikely that it is related to the last > fixes, I'll try to keep this version, unless things do not get in line. > I just tested global timeout ( <property name="globalSessionTimeout" > value="10000"/> ), but the session is not expiring as fast as I expected... > it lasted minutes. Is a number as low as this accepted? I used 10s for > testing... I plan to use something around 15 minutes. > I use no listeners so far, but I guess they will do the job. As I said, I > store some user data on the session (name, nick, company it works for...) > and this data is put on the header of every page, so if the listener is > called the first time the expired session is accessed, it will be fine. > I'll try that right now... any problem, I'll bother you again! ;-) > Thanks again! > On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood <[email protected]> > wrote: >> >> Hi Mad, >> >> Are you using standard ServletContainer sessions? or Shiro's native >> sessions? >> >> If using native sessions, ensure you're using the latest version of >> Shiro - a few session-related bugs were fixed over the last month. I >> doubt they would be related to what you're seeing, but at least its >> worth a try. >> >> You can also set the global session timeout (for all sessions) setting >> sessionManager.globalSessionTimeout = desiredMilliseconds. >> >> Also, you could implement a org.apache.shiro.session.SessionListener >> to listen to session lifecycle events >> (securityManager.setSessionListeners(Collection<SessionListener> >> listeners); ). Note however that session validation (for expiration) >> is done lazily: you won't receive an 'expiredSession' notification >> the exact instant it expires. You'll receive the notification if an >> expired session is ever accessed or the next time Shiro's session >> validator executes (configurable - defaults to once per hour I think). >> >> Finally, if you want to know about logins and logouts, don't use a >> SessionListener for this - use an >> org.apache.shiro.authc.AuthenticationListener >> >> (securityManager.setAuthenticationListeners(Collection<AuthenticationListener> >> listeners); ). >> >> Regards, >> >> Les >> >> On Fri, Aug 21, 2009 at 9:49 AM, mad rug<[email protected]> wrote: >> > Hi >> > I'm having some problem with my application. I use Shiro in a Spring MVC >> > application much like the sample included with Shiro. I use Shiro >> > session, >> > and I store some logged user data in it (user ID, company that user >> > belongs >> > to, etc), but sometimes my app seem to be losing its session, like a >> > timeout, but without long inactive periods. I notice it quickly because >> > my >> > header pages contain the name of the user and its company name, and they >> > suddenly are gone, even though I remain authenticated >> > (<shiro:principal/> >> > still returns the user principal). >> > I don't know where I am missing some config to make the session last >> > longer... how can I handle it? >> > Moreover, does Shiro provide any facility to handle session timeout, and >> > maybe redirect to some warning page? >> > Thanks! > >
