You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Sven Moschel (JIRA)" <ji...@apache.org> on 2012/07/13 06:07:33 UTC
[jira] [Created] (SHIRO-374) Session Cookie will not be deleted on
subjects logout
Sven Moschel created SHIRO-374:
----------------------------------
Summary: Session Cookie will not be deleted on subjects logout
Key: SHIRO-374
URL: https://issues.apache.org/jira/browse/SHIRO-374
Project: Shiro
Issue Type: Bug
Components: Session Management, Subject
Affects Versions: 1.2.0
Environment: GF3.1.2, JSF
Reporter: Sven Moschel
Our web application initializes Shiro through an .ini file. Within the ini file we set the application cookie as following:
# Cookie Management
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = AppCookie
cookie.secure = true
cookie.httpOnly = false
securityManager.sessionManager.sessionIdCookie = $cookie
Shiro runs in "native" session mode. When an user enters the application the MyCookie and an JSESSIONID cookie will be created. The session will be authenticated on subject.login(...). Everything works fine until the user log out and we call subject.logout() method.
It seems that the JSESSIONID cookie will not be deleted. The value of the cookie stays always the same, while the value(id) of our AppCookie always change. The problem is that the user get the same session again if he log in again. That means that the settings the user made before logout already exists on relogin.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SHIRO-374) Session Cookie will not be deleted on
subjects logout
Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood resolved SHIRO-374.
---------------------------------
Resolution: Cannot Reproduce
Shiro will not create a JSESSIONID cookie if you specify a custom sessionIdCookie name. The reason you are seeing this condition is because the ShiroFilter is not 'high enough' in your filter chain. The servlet container is create a session before the request can be processed by Shiro.
Ensure your ShiroFilter sits in front of any framework or other filter that might access the HttpSession (e.g. Spring filters, etc) and this will go away.
> Session Cookie will not be deleted on subjects logout
> -----------------------------------------------------
>
> Key: SHIRO-374
> URL: https://issues.apache.org/jira/browse/SHIRO-374
> Project: Shiro
> Issue Type: Bug
> Components: Session Management, Subject
> Affects Versions: 1.2.0
> Environment: GF3.1.2, JSF
> Reporter: Sven Moschel
> Attachments: appcookies.png
>
>
> Our web application initializes Shiro through an .ini file. Within the ini file we set the application cookie as following:
> # Cookie Management
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = AppCookie
> cookie.secure = true
> cookie.httpOnly = false
> securityManager.sessionManager.sessionIdCookie = $cookie
> Shiro runs in "native" session mode. When an user enters the application the MyCookie and an JSESSIONID cookie will be created. The session will be authenticated on subject.login(...). Everything works fine until the user log out and we call subject.logout() method.
> It seems that the JSESSIONID cookie will not be deleted. The value of the cookie stays always the same, while the value(id) of our AppCookie always change. The problem is that the user get the same session again if he log in again. That means that the settings the user made before logout already exists on relogin.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SHIRO-374) Session Cookie will not be deleted on
subjects logout
Posted by "Sven Moschel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sven Moschel updated SHIRO-374:
-------------------------------
Attachment: appcookies.png
As commented. JSESSIONID cookie stays always the same. Only the AppCookie change on logout/login of an user.
> Session Cookie will not be deleted on subjects logout
> -----------------------------------------------------
>
> Key: SHIRO-374
> URL: https://issues.apache.org/jira/browse/SHIRO-374
> Project: Shiro
> Issue Type: Bug
> Components: Session Management, Subject
> Affects Versions: 1.2.0
> Environment: GF3.1.2, JSF
> Reporter: Sven Moschel
> Attachments: appcookies.png
>
>
> Our web application initializes Shiro through an .ini file. Within the ini file we set the application cookie as following:
> # Cookie Management
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = AppCookie
> cookie.secure = true
> cookie.httpOnly = false
> securityManager.sessionManager.sessionIdCookie = $cookie
> Shiro runs in "native" session mode. When an user enters the application the MyCookie and an JSESSIONID cookie will be created. The session will be authenticated on subject.login(...). Everything works fine until the user log out and we call subject.logout() method.
> It seems that the JSESSIONID cookie will not be deleted. The value of the cookie stays always the same, while the value(id) of our AppCookie always change. The problem is that the user get the same session again if he log in again. That means that the settings the user made before logout already exists on relogin.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHIRO-374) Session Cookie will not be deleted
on subjects logout
Posted by "Sven Moschel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422321#comment-13422321 ]
Sven Moschel commented on SHIRO-374:
------------------------------------
Debugged again and you are right. The JSESSIONID cookie is created by weld. Posted an bug in their forum about this.
> Session Cookie will not be deleted on subjects logout
> -----------------------------------------------------
>
> Key: SHIRO-374
> URL: https://issues.apache.org/jira/browse/SHIRO-374
> Project: Shiro
> Issue Type: Bug
> Components: Session Management, Subject
> Affects Versions: 1.2.0
> Environment: GF3.1.2, JSF
> Reporter: Sven Moschel
> Attachments: appcookies.png
>
>
> Our web application initializes Shiro through an .ini file. Within the ini file we set the application cookie as following:
> # Cookie Management
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = AppCookie
> cookie.secure = true
> cookie.httpOnly = false
> securityManager.sessionManager.sessionIdCookie = $cookie
> Shiro runs in "native" session mode. When an user enters the application the MyCookie and an JSESSIONID cookie will be created. The session will be authenticated on subject.login(...). Everything works fine until the user log out and we call subject.logout() method.
> It seems that the JSESSIONID cookie will not be deleted. The value of the cookie stays always the same, while the value(id) of our AppCookie always change. The problem is that the user get the same session again if he log in again. That means that the settings the user made before logout already exists on relogin.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (SHIRO-374) Session Cookie will not be
deleted on subjects logout
Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13421774#comment-13421774 ]
Les Hazlewood edited comment on SHIRO-374 at 7/24/12 9:28 PM:
--------------------------------------------------------------
Shiro will not create a JSESSIONID cookie if you specify a custom sessionIdCookie name. The reason you are seeing this condition is because the ShiroFilter is not 'high enough' in your filter chain. The servlet container is creating a session before the request can be processed by Shiro.
Ensure your ShiroFilter sits in front of any framework or other filter that might access the HttpSession (e.g. Spring filters, etc) and this will go away.
was (Author: lhazlewood):
Shiro will not create a JSESSIONID cookie if you specify a custom sessionIdCookie name. The reason you are seeing this condition is because the ShiroFilter is not 'high enough' in your filter chain. The servlet container is create a session before the request can be processed by Shiro.
Ensure your ShiroFilter sits in front of any framework or other filter that might access the HttpSession (e.g. Spring filters, etc) and this will go away.
> Session Cookie will not be deleted on subjects logout
> -----------------------------------------------------
>
> Key: SHIRO-374
> URL: https://issues.apache.org/jira/browse/SHIRO-374
> Project: Shiro
> Issue Type: Bug
> Components: Session Management, Subject
> Affects Versions: 1.2.0
> Environment: GF3.1.2, JSF
> Reporter: Sven Moschel
> Attachments: appcookies.png
>
>
> Our web application initializes Shiro through an .ini file. Within the ini file we set the application cookie as following:
> # Cookie Management
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = AppCookie
> cookie.secure = true
> cookie.httpOnly = false
> securityManager.sessionManager.sessionIdCookie = $cookie
> Shiro runs in "native" session mode. When an user enters the application the MyCookie and an JSESSIONID cookie will be created. The session will be authenticated on subject.login(...). Everything works fine until the user log out and we call subject.logout() method.
> It seems that the JSESSIONID cookie will not be deleted. The value of the cookie stays always the same, while the value(id) of our AppCookie always change. The problem is that the user get the same session again if he log in again. That means that the settings the user made before logout already exists on relogin.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira