Hi Tauren, Shiro implements the Servlet specification for its native sessions - so if Wicket (or anything else) calls request.getSession() (aka getSession(true)) a new session will be created. Otherwise, a new session won't be created unless:
- You (or a framework) invoke request.getSession() or request.getSession(true) - A subject successfully logs in via subject.login, at which point a session is created to store authentication state. - A 'remember me' identity is discovered, at which point the identity is stored in the session to prevent unnecessary continuous cookie reads later on. Shiro's native web sessions bypass the servlet container entirely, so servlet container session won't get started unless something in front of the Shiro filter starts one. That's why it is highly recommended to have the Shiro filter sit in front of all other filters to ensure nothing can create or use disjoint sessions for a single request. HTH, Les On Thu, May 20, 2010 at 3:18 PM, Tauren Mills <[email protected]> wrote: > I'm hoping someone can help me to understand how Shiro works with web > sessions. If I'm using shiro native sessions in a web application, will a > regular web session still get created? Is it possible to have each request > use a temporary web session? > In my wicket app, I'm looking into using stateless pages. Wicket supports > deferred session creation: as long as the page doesn't have any components > on it that require state to be maintained, no session will be created. > Details available here: > https://cwiki.apache.org/WICKET/stateless-pages.html > But if I'm using Shiro, will a session be created on these stateless pages > anyway? > Tauren > >
