Hi Paul, It is not possible for an exception to propagate past a catch clause that you have defined without you detecting it - this means something else (separate from your logout() call) is attempting to use a session without you being aware of it.
I've seen this happen a few times in web apps, usually due to one of 2 cases: 1) A web page (JSP or JSF) page attempts to use request.getSession() without you knowing about it. If this happens after subject.logout() is called, you will see an error because the session ID cookie is still present in the web request. 2) subject.logout() is called after the http response has already been committed (body content is being rendered). Because of the way cookies work, it is not possible to delete the session id cookie in this case, so subsequent requests will have an invalid session id cookie and cause this exception. It is strongly recommended in web apps that a logout call should do nothing but call subject.logout() and then immediately redirect to a new view. By looking at your log, it appears something in the same thread is calling subject.getSession() _after_ subject.logout(): [02/06/13 20:38:32:163 BST] 000032e7 DefaultSecuri 1 org.apache.shiro.mgt.DefaultSecurityManager logout Logging out subject with primary principal admin [02/06/13 20:38:32:178 BST] 000032e7 CachingRealm 3 org.apache.shiro.realm.CachingRealm clearCache Cleared cache entries for account with principals [admin] [02/06/13 20:38:32:178 BST] 000032e7 DelegatingSub 3 org.apache.shiro.subject.support.DelegatingSubject getSession attempting to get session; create = false; session is null = false; session has id = true I'd connect a debugger and put a breakpoint on DelegatingSubject.getSession() to see what in the call stack is attempting to get a session after you've explicitly called logout. HTH, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Thu, Jun 6, 2013 at 10:23 AM, Paul Holding <[email protected]> wrote: > Les Hazlewood-2 wrote >> A quick workaround is to just catch and ignore the >> exception and then issue the redirect. > > Hi Les > > Thanks for the response. I've tried wrapping the > SecurityUtils.getSubject().logout() method in a try/catch but the exception > isn't being caught by this catch block. Instead the error seems to be caught > by the faces servlet. I've tried catching both > java.lang.IllegalStateException and > org.apache.shiro.session.UnknownSessionException but neither actually get > caught. > > The error message returned by the faces servlet is as follows > > javax.servlet.ServletException: /app/index.xhtml at line 39 and column 82 > action="#{logout.submit}": java.lang.IllegalStateException: > org.apache.shiro.session.UnknownSessionException: There is no session with > id [37de04fc-8ec2-48ea-8c14-aeb8053ebd7b] > > Any ideas? > > Kind Regards > > Paul > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/UnknownSessionException-when-calling-logout-method-using-Shiro-s-built-in-session-management-tp7578804p7578807.html > Sent from the Shiro User mailing list archive at Nabble.com.
