> I opened two IE browsers and started the application and logged in using > some username., both browsers using same session, this is fine but if I > logged in with same user in different browsers (IE, firefox), Shiro creating > two different sessions at server
Sessions for web-based apps are identified by default by a session cookie. Naturally two different browsers won't share session cookies. Your application will need to transmit the session ID to the other browser in some way. This is typically done by 'joining' the session from Browser A by manually setting the cookie yourself after log in. That is: Browser A starts the session and the session id cookie is set. Browser B accesses the website and logs in. You discover that there is already an open session for the user (query your Session store) and manually set the 'JSESSIONID' cookie on the response after login to be that session's ID. All subsequent requests from either browser will share the same session. This is highly unusual though. I don't know why there would ever be an actual application requirement to use 2 separate browser installations accessing the same session. It is far more common to allow concurrent logins for the same user so a user can use 2 separate browsers with 2 separate (but concurrent) sessions. > If I disable cookies in my browsers what is the fall back mechanism for > Shiro to handle sessions? URL rewriting, supported by the servlet specification. Shiro does this correctly if cookies are disabled per the servlet specification, but you, the programmer, are responsible for calling HttpServletResponse#encodeUrl or HttpServletResponse#encodeRedirectUrl. Or you could JSTL Tags that would call this for you, e.g. <c:out/>. > Now I am using native shiro session mode, If I Change native to http mode , > the timeout is not effecting. I changed the defaultWebSessionManager to > ServletContainerManager but session timeout is not reflecting. Session stop/expiration notifications only work when using Shiro's 'native' session mode. Since Shiro does not manage servlet container sessions, there is no easy way for Shiro to know when the servlet container has expired a session. You might want to use a HttpSessionListener for when using ServletContainer sessions (specified in web.xml). > My UI is flex so I didn’t configure any Url for login. If session expired or > logged out I am redirecting / or opening a page. But if try to login again > without closing the browser ShiroFilter not allowing me to call my remote > server using blazeDS instead it throwing an UnknowSessionException. Is it > not possible to login again after logout in the same browser? The default behavior for web applications is to automatically create a new session when encountering an expired one. You shouldn't see an UnknownSessionException sent to the client tier - a new session ID cookie should be set. After logging out, the session is invalidated and the session id cookie is removed. Your next request to the system would start a new session and set a new session id cookie. So yes, logging out and logging back in again in the same browser works just fine. I'm afraid I'd need a test case to be able to see exactly what problem you're encountering. Regards, Les
