Hi all, I am trying to get a better understanding of how Shiro does session management on Google App Engine (a few things seem to be behaving counter-intuitively), so I'll start by asking some questions:
1. Does Shiro use the _ah_SESSION entities to manage session persistence on GAE? 2. If so, what is the relationship between the key (name/ID) of the _ah_SESSION entity and the value stored in the JSESSIONID cookie? 3. To put it differently, how does DefaultWebSessionManager know that if the JSESSIONID value is X, I have to lookup entity Y in the GAE datastore? I have set the session-timeout to 1440 (24 hours) in web.xml, but logins seem to expire before then (cookie life is set to 5 days): if I login now, do nothing after that, and refresh the page in, say, 13 hours, I am shown as logged out (depending entirely on Shiro for logins, not doing any other hanky-panky). It does seem like the value of the _expires field in the _ah_SESSION entities is being set to 24 hours from now. Regards, Harshdeep S Jawanda
