Hi Mike, There is currently no great way to customize this other than to override AbstractShiroFilter's 'updateSessionLastAccessTime' method and perform the same logic based on request-specific logic. The reason this is the case is that because the behavior is according to the Servlet Specification, a session's lastAccessedTimestamp is always updated when the container receives a request associated with an established session (the second sentence is key):
SRV.7.6 Last Accessed Times The getLastAccessedTime method of the HttpSession interface allows a servlet to determine the last time the session was accessed before the current request. The session is considered to be accessed when a request that is part of the session is first handled by the servlet container. So, because the servlet spec mandates this, we could only make this customizable when using Shiro's native sessions - not the default servlet container sessions (since those are outside of Shiro's control). Are you using native sessions? If using Shiro's native sessions, we can open a Jira issue to enable this extra configuration capability, but I guess I should first ask: how should this be supported? That is, do you want to exclude timstamp update based on a specific request path? or based on some other request-specific criteria? Anyone's feedback is welcome! -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
