I cannot speak to anything specific to GAE, but the DefaultWebSessionManager "owns" the creation of the sessionId. If you want the container to control it, then you would use the ServletContainerSessionManager:
https://github.com/apache/shiro/blob/master/web/src/main/java/org/apache/shiro/web/session/mgt/ServletContainerSessionManager.java On Mon, Mar 27, 2017 at 7:53 AM, Harshdeep S Jawanda <[email protected]> wrote: > Hi all, > > I am trying to get a better understanding of how Shiro does session > management on Google App Engine (a few things seem to be behaving > counter-intuitively), so I'll start by asking some questions: > > 1. Does Shiro use the _ah_SESSION entities to manage session > persistence on GAE? > 2. If so, what is the relationship between the key (name/ID) of the > _ah_SESSION entity and the value stored in the JSESSIONID cookie? > 3. To put it differently, how does DefaultWebSessionManager know that > if the JSESSIONID value is X, I have to lookup entity Y in the GAE > datastore? > > I have set the session-timeout to 1440 (24 hours) in web.xml, but logins > seem to expire before then (cookie life is set to 5 days): if I login now, > do nothing after that, and refresh the page in, say, 13 hours, I am shown > as logged out (depending entirely on Shiro for logins, not doing any other > hanky-panky). > > It does seem like the value of the _expires field in the _ah_SESSION > entities is being set to 24 hours from now. > > Regards, > Harshdeep S Jawanda >
