Hi, I have Shiro setup in a web app (not using shiro.web). Upon successful login, a cookie is created. The value of the cookie is the same ID from subject.getSession().getId() method. On the next request, I simply look for this cookie and extract the value/decrypt and then do this:
create a new DefaultSubjectContext instance set the sessionId via setSessionId($value-from-cookie-here) call createSubject(subjectContext) on the security manager then call ThreadContext.bind(newSubject) It all works, but is this the recommended way to bind a session based user? Also, should I be unbinding at the end of the request before sending the response? Just looking for feedback. - Matt
