Hi Mad, Wait until tomorrow when hopefully the trunk is back to being stable again - then you should try the latest trunk as I recall a session timeout bug being fixed early last week.
- Les On Tue, Aug 25, 2009 at 10:14 AM, mad rug<[email protected]> wrote: > I'm still troubled with this... > I keep losing my session after 30 minutes (default timeout), no matter the > user activity. I need to fix this to allow session expiration after some > time of inactivity, and present nice messages when the session expires. > What's the way to do this? > Thanks! > > On Fri, Aug 21, 2009 at 12:57 PM, mad rug <[email protected]> wrote: >> >> Well, I might try it then... weekend is coming, and I can get what I had >> to do until Monday, and still fix this... I hope :-P >> Other notes: >> - I thought that I may change the sessionValidationInterval property to a >> lower value so the session gets invalidated quickly, but I couldn't find it >> on DefaultWebSecurityManager, even though it >> extends AbstractValidatingSessionManager; >> - I read about autoCreateSessionAfterInvalidation, that it is defaulted to >> true, I got a doubt: if the session is replaced by a new one, like I guess >> it is happening in my case, then this is merely a dev convenience to let the >> user log itself using the already available new session, but all the data >> stored in the previous session is gone, is that right? >> I implemented a SessionListener, but I'm now unsure how it will help me. >> First, it does notify me on session timeout, but all that I get is the >> expired session... I want to notify the user with some 'session expired, >> login again' message, but an expired session won't help me on that, I guess. >> How can I do it? >> Second, I used the listener to set my 10s timeout by code to test >> expiration, and it expires my session after the 10s, but no matter if I'm >> inactive or performing actions and navigating around my app all the time. Is >> this right, or is that one of your fixed bugs? >> Thanks again Les. You've been invaluable to get my application working! >> >> On Fri, Aug 21, 2009 at 12:23 PM, Les Hazlewood <[email protected]> >> wrote: >>> >>> In that case you will want the latest snapshot version - now that I >>> think about it, I think one of those bugs did affect session timeout. >>> >>> On Fri, Aug 21, 2009 at 11:07 AM, mad rug<[email protected]> wrote: >>> > Les, >>> > I'm using native session (<property name="sessionMode" >>> > value="shiro"/>). For >>> > sure I'm not with the latest version of shiro... I'm using this >>> > snapshot for >>> > over two months. As you say it is unlikely that it is related to the >>> > last >>> > fixes, I'll try to keep this version, unless things do not get in line. >>> > I just tested global timeout ( <property name="globalSessionTimeout" >>> > value="10000"/> ), but the session is not expiring as fast as I >>> > expected... >>> > it lasted minutes. Is a number as low as this accepted? I used 10s for >>> > testing... I plan to use something around 15 minutes. >>> > I use no listeners so far, but I guess they will do the job. As I said, >>> > I >>> > store some user data on the session (name, nick, company it works >>> > for...) >>> > and this data is put on the header of every page, so if the listener is >>> > called the first time the expired session is accessed, it will be fine. >>> > I'll try that right now... any problem, I'll bother you again! ;-) >>> > Thanks again! >>> > On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood <[email protected]> >>> > wrote: >>> >> >>> >> Hi Mad, >>> >> >>> >> Are you using standard ServletContainer sessions? or Shiro's native >>> >> sessions? >>> >> >>> >> If using native sessions, ensure you're using the latest version of >>> >> Shiro - a few session-related bugs were fixed over the last month. I >>> >> doubt they would be related to what you're seeing, but at least its >>> >> worth a try. >>> >> >>> >> You can also set the global session timeout (for all sessions) setting >>> >> sessionManager.globalSessionTimeout = desiredMilliseconds. >>> >> >>> >> Also, you could implement a org.apache.shiro.session.SessionListener >>> >> to listen to session lifecycle events >>> >> (securityManager.setSessionListeners(Collection<SessionListener> >>> >> listeners); ). Note however that session validation (for expiration) >>> >> is done lazily: you won't receive an 'expiredSession' notification >>> >> the exact instant it expires. You'll receive the notification if an >>> >> expired session is ever accessed or the next time Shiro's session >>> >> validator executes (configurable - defaults to once per hour I think). >>> >> >>> >> Finally, if you want to know about logins and logouts, don't use a >>> >> SessionListener for this - use an >>> >> org.apache.shiro.authc.AuthenticationListener >>> >> >>> >> >>> >> (securityManager.setAuthenticationListeners(Collection<AuthenticationListener> >>> >> listeners); ). >>> >> >>> >> Regards, >>> >> >>> >> Les >>> >> >>> >> On Fri, Aug 21, 2009 at 9:49 AM, mad rug<[email protected]> wrote: >>> >> > Hi >>> >> > I'm having some problem with my application. I use Shiro in a Spring >>> >> > MVC >>> >> > application much like the sample included with Shiro. I use Shiro >>> >> > session, >>> >> > and I store some logged user data in it (user ID, company that user >>> >> > belongs >>> >> > to, etc), but sometimes my app seem to be losing its session, like a >>> >> > timeout, but without long inactive periods. I notice it quickly >>> >> > because >>> >> > my >>> >> > header pages contain the name of the user and its company name, and >>> >> > they >>> >> > suddenly are gone, even though I remain authenticated >>> >> > (<shiro:principal/> >>> >> > still returns the user principal). >>> >> > I don't know where I am missing some config to make the session last >>> >> > longer... how can I handle it? >>> >> > Moreover, does Shiro provide any facility to handle session timeout, >>> >> > and >>> >> > maybe redirect to some warning page? >>> >> > Thanks! >>> > >>> > >> > >
