I am using Shiro (with native sessions) with Servlets as well and do not have this issue. I would think that Shiro would create a new session if a current session is not found, as that would be the proper behavior. Sorry, I don’t have a pointer to that code, but I am sure it would be easy to figure out.
> On Jul 27, 2016, at 1:57 PM, smm <[email protected]> wrote: > > Hello, > > I've uncovered in our implementation and deployment of Shiro a race > condition that can (and does) occur when a Session Expires. Here are the > steps that have to occur for us to "lose" the race: > > 1) User logs in which creates a session. Session is cached and persisted > (to a MySQL database). > 2) User does nothing right up until the session is about the expire. > 3) User requests a JSP just before his session is about to expire. > 4) Servlet gets the Subject. > 5) ExecutorServiceSessionValidationScheduler expires the session and deletes > it from the cache and database. > 6) The Servlet tries to extract the Subject's Principal, but the session > doesn't exist so it throws: javax.servlet.ServletException: > org.apache.shiro.session.UnknownSessionException: There is no session with > id [190fdf2a-daf7-41d2-aa3c-4eb2da9b33f2]. > 7) The user gets a 500 error (yikes!). > > So my question is what normally should prevent this problem? We have a > custom SessionDAO, so I'm assuming the bug is in our implementation > somewhere, but it wasn't obvious to me what is the best way to handle a > Session being invalidated when some other thread has a handle to the > Session. > > I can, of course, post code, but I'm not really sure which code to post. > Oh, we're using Shiro 1.2.2. > > Thanks! > > --Stephen > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Session-Expiration-race-condition-tp7581181.html > Sent from the Shiro User mailing list archive at Nabble.com. >
