Hi, I really like shiro API and approach. I'm trying to use shiro with GWT. But it seems there is a problem.
Accordinly to GWT "login security faq" I need to avoid to use, in server side, the session id retrieved from cookie but I must pass it in the payload of the RPC request. http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ So I implemented my GWT+shiro as follow: 1) when user start login: obtain the new shiro sessionId, pass to the client, and store in the client to pass back to the server 2) when a logged user do an RPC request : pass the stored sessionId from client to server in the payload of the RPC request, and server side I access the session this way: Subject.Builder().sessionId(sessionId).buildSubject().getSession() But my code does not not work. When the user logout and login again shiro does not provide a new sessionId, but keep using the old one that is no more valid (logout), so I have the following Exception when try to login with shiro (currentUser.login(token)): "There is no session with id [the old ID]". Is there a way a way to tell shiro to not use the sesionId passed with cookies but only the one "programmatically" passed ? thanks
