I need to allow user in my web based application to click on a logout button to securely end their session. The logout button executes the "SecurityUtils.getSubject().logout()" method and then redirects the user back to the login page. When Shiro uses the default container provided session management everything works as expected, however if I enable Shiro's built in session management, then an UnknownSessionException is thrown whenever the "SecurityUtils.getSubject().logout()" method is executed. Note that this occurs before the next line of code to redirect the user back to the login page is executed.
Whilst trying to troubleshoot this problem I set the logging level to FINEST and found that when Shiro executes the logout() method it appears to have successfully stopped the session and then for some reason attempted to retrieve the session, at which point the error is thrown. I've uploaded the trace to pastebin http://pastebin.com/UdmC5bvL. The contents of the Shiro.ini file is as follows: [main] user = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter user.loginUrl = /login.xhtml sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager [users] <removed> [urls] /login.xhtml = user /app/** = user I have reproduced this issue on both WebSphere Application Server 8.5 and GlassFish 3.1.2.2 using Shiro 1.2.2 I was about to start this thread earlier today but I saw an almost identical thread titled " Shiro throws UnknownSessionException when logout / re-login a user with expired session <http://shiro-user.582556.n2.nabble.com/Shiro-throws-UnknownSessionException-when-logout-re-login-a-user-with-expired-session-td7578800.html> " , however it appears that the specific issue reported there only occurs when the session has expired, although in my case the session hasn't expired. Rather than continue to highjack someone else’s thread I thought it would be better to start a new one. I did also find a thread titled " What might cause an UnknownSessionException <http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-td7578179.html> " which looked promising but I would really prefer to stop the session correctly rather than using a work around. Is using "SecurityUtils.getSubject().logout()" the correct way to allow a user to end their own session when using Shiro's built in session management and if so what can I do to stop the exception being thrown without resorting to workarounds such as removing the session attributed? I have tried wrapping the method in a try/catch statement, however it seems the exception is being caught by something else in the call stack. -- View this message in context: http://shiro-user.582556.n2.nabble.com/UnknownSessionException-when-calling-logout-method-using-Shiro-s-built-in-session-management-tp7578804.html Sent from the Shiro User mailing list archive at Nabble.com.
