You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by ba...@icontel.com on 2009/09/04 13:29:14 UTC
RE: Losing session
HI Mad,
Is your problem resolved?
I am also facing same problem
If it is resolved in your case, could you tell me the configuration in
web.xml.
Thanks & Regards
Balajee
________________________________
From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On
Behalf Of Les Hazlewood <lh...@apache.org>
Sent: Tuesday, August 25, 2009 4:43 PM
To: shiro-user@incubator.apache.org
Subject: Re: Losing session
Hi Mad,
Wait until tomorrow when hopefully the trunk is back to being stable
again - then you should try the latest trunk as I recall a session
timeout bug being fixed early last week.
- Les
On Tue, Aug 25, 2009 at 10:14 AM, mad rug wrote:
> I'm still troubled with this...
> I keep losing my session after 30 minutes (default timeout), no matter
the
> user activity. I need to fix this to allow session expiration after
some
> time of inactivity, and present nice messages when the session
expires.
> What's the way to do this?
> Thanks!
>
> On Fri, Aug 21, 2009 at 12:57 PM, mad rug wrote:
>>
>> Well, I might try it then... weekend is coming, and I can get what I
had
>> to do until Monday, and still fix this... I hope :-P
>> Other notes:
>> - I thought that I may change the sessionValidationInterval property
to a
>> lower value so the session gets invalidated quickly, but I couldn't
find it
>> on DefaultWebSecurityManager, even though it
>> extends AbstractValidatingSessionManager;
>> - I read about autoCreateSessionAfterInvalidation, that it is
defaulted to
>> true, I got a doubt: if the session is replaced by a new one, like I
guess
>> it is happening in my case, then this is merely a dev convenience to
let the
>> user log itself using the already available new session, but all the
data
>> stored in the previous session is gone, is that right?
>> I implemented a SessionListener, but I'm now unsure how it will help
me.
>> First, it does notify me on session timeout, but all that I get is
the
>> expired session... I want to notify the user with some 'session
expired,
>> login again' message, but an expired session won't help me on that, I
guess.
>> How can I do it?
>> Second, I used the listener to set my 10s timeout by code to test
>> expiration, and it expires my session after the 10s, but no matter if
I'm
>> inactive or performing actions and navigating around my app all the
time. Is
>> this right, or is that one of your fixed bugs?
>> Thanks again Les. You've been invaluable to get my application
working!
>>
>> On Fri, Aug 21, 2009 at 12:23 PM, Les Hazlewood
>> wrote:
>>>
>>> In that case you will want the latest snapshot version - now that I
>>> think about it, I think one of those bugs did affect session
timeout.
>>>
>>> On Fri, Aug 21, 2009 at 11:07 AM, mad rug wrote:
>>> > Les,
>>> > I'm using native session (
>>> > value="shiro"/>). For
>>> > sure I'm not with the latest version of shiro... I'm using this
>>> > snapshot for
>>> > over two months. As you say it is unlikely that it is related to
the
>>> > last
>>> > fixes, I'll try to keep this version, unless things do not get in
line.
>>> > I just tested global timeout (
>>> > value="10000"/> ), but the session is not expiring as fast as I
>>> > expected...
>>> > it lasted minutes. Is a number as low as this accepted? I used 10s
for
>>> > testing... I plan to use something around 15 minutes.
>>> > I use no listeners so far, but I guess they will do the job. As I
said,
>>> > I
>>> > store some user data on the session (name, nick, company it works
>>> > for...)
>>> > and this data is put on the header of every page, so if the
listener is
>>> > called the first time the expired session is accessed, it will be
fine.
>>> > I'll try that right now... any problem, I'll bother you again! ;-)
>>> > Thanks again!
>>> > On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood
>>> > wrote:
>>> >>
>>> >> Hi Mad,
>>> >>
>>> >> Are you using standard ServletContainer sessions? or Shiro's
native
>>> >> sessions?
>>> >>
>>> >> If using native sessions, ensure you're using the latest version
of
>>> >> Shiro - a few session-related bugs were fixed over the last
month. I
>>> >> doubt they would be related to what you're seeing, but at least
its
>>> >> worth a try.
>>> >>
>>> >> You can also set the global session timeout (for all sessions)
setting
>>> >> sessionManager.globalSessionTimeout = desiredMilliseconds.
>>> >>
>>> >> Also, you could implement a
org.apache.shiro.session.SessionListener
>>> >> to listen to session lifecycle events
>>> >> (securityManager.setSessionListeners(Collection
>>> >> listeners); ). Note however that session validation (for
expiration)
>>> >> is done lazily: you won't receive an 'expiredSession'
notification
>>> >> the exact instant it expires. You'll receive the notification if
an
>>> >> expired session is ever accessed or the next time Shiro's session
>>> >> validator executes (configurable - defaults to once per hour I
think).
>>> >>
>>> >> Finally, if you want to know about logins and logouts, don't use
a
>>> >> SessionListener for this - use an
>>> >> org.apache.shiro.authc.AuthenticationListener
>>> >>
>>> >>
>>> >> (securityManager.setAuthenticationListeners(Collection
>>> >> listeners); ).
>>> >>
>>> >> Regards,
>>> >>
>>> >> Les
>>> >>
>>> >> On Fri, Aug 21, 2009 at 9:49 AM, mad rug wrote:
>>> >> > Hi
>>> >> > I'm having some problem with my application. I use Shiro in a
Spring
>>> >> > MVC
>>> >> > application much like the sample included with Shiro. I use
Shiro
>>> >> > session,
>>> >> > and I store some logged user data in it (user ID, company that
user
>>> >> > belongs
>>> >> > to, etc), but sometimes my app seem to be losing its session,
like a
>>> >> > timeout, but without long inactive periods. I notice it quickly
>>> >> > because
>>> >> > my
>>> >> > header pages contain the name of the user and its company name,
and
>>> >> > they
>>> >> > suddenly are gone, even though I remain authenticated
>>> >> > (
>>> >> > still returns the user principal).
>>> >> > I don't know where I am missing some config to make the session
last
>>> >> > longer... how can I handle it?
>>> >> > Moreover, does Shiro provide any facility to handle session
timeout,
>>> >> > and
>>> >> > maybe redirect to some warning page?
>>> >> > Thanks!
>>> >
>>> >
>>
>
>