You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by ba...@icontel.com on 2009/09/04 13:29:14 UTC

RE: Losing session

HI Mad,

Is your problem resolved?

I am also facing same problem

If it is resolved in your case, could you tell me the configuration in
web.xml.

 

Thanks & Regards

Balajee

 

________________________________

From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On
Behalf Of Les Hazlewood <lh...@apache.org>
Sent: Tuesday, August 25, 2009 4:43 PM
To: shiro-user@incubator.apache.org
Subject: Re: Losing session

 

Hi Mad, 

Wait until tomorrow when hopefully the trunk is back to being stable 
again - then you should try the latest trunk as I recall a session 
timeout bug being fixed early last week. 

- Les 

On Tue, Aug 25, 2009 at 10:14 AM, mad rug wrote: 
> I'm still troubled with this... 
> I keep losing my session after 30 minutes (default timeout), no matter
the 
> user activity. I need to fix this to allow session expiration after
some 
> time of inactivity, and present nice messages when the session
expires. 
> What's the way to do this? 
> Thanks! 
> 
> On Fri, Aug 21, 2009 at 12:57 PM, mad rug wrote: 
>> 
>> Well, I might try it then... weekend is coming, and I can get what I
had 
>> to do until Monday, and still fix this... I hope :-P 
>> Other notes: 
>> - I thought that I may change the sessionValidationInterval property
to a 
>> lower value so the session gets invalidated quickly, but I couldn't
find it 
>> on DefaultWebSecurityManager, even though it 
>> extends AbstractValidatingSessionManager; 
>> - I read about autoCreateSessionAfterInvalidation, that it is
defaulted to 
>> true, I got a doubt: if the session is replaced by a new one, like I
guess 
>> it is happening in my case, then this is merely a dev convenience to
let the 
>> user log itself using the already available new session, but all the
data 
>> stored in the previous session is gone, is that right? 
>> I implemented a SessionListener, but I'm now unsure how it will help
me. 
>> First, it does notify me on session timeout, but all that I get is
the 
>> expired session... I want to notify the user with some 'session
expired, 
>> login again' message, but an expired session won't help me on that, I
guess. 
>> How can I do it? 
>> Second, I used the listener to set my 10s timeout by code to test 
>> expiration, and it expires my session after the 10s, but no matter if
I'm 
>> inactive or performing actions and navigating around my app all the
time. Is 
>> this right, or is that one of your fixed bugs? 
>> Thanks again Les. You've been invaluable to get my application
working! 
>> 
>> On Fri, Aug 21, 2009 at 12:23 PM, Les Hazlewood 
>> wrote: 
>>> 
>>> In that case you will want the latest snapshot version - now that I 
>>> think about it, I think one of those bugs did affect session
timeout. 
>>> 
>>> On Fri, Aug 21, 2009 at 11:07 AM, mad rug wrote: 
>>> > Les, 
>>> > I'm using native session (
>>> > value="shiro"/>). For 
>>> > sure I'm not with the latest version of shiro... I'm using this 
>>> > snapshot for 
>>> > over two months. As you say it is unlikely that it is related to
the 
>>> > last 
>>> > fixes, I'll try to keep this version, unless things do not get in
line. 
>>> > I just tested global timeout ( 
>>> > value="10000"/> ), but the session is not expiring as fast as I 
>>> > expected... 
>>> > it lasted minutes. Is a number as low as this accepted? I used 10s
for 
>>> > testing... I plan to use something around 15 minutes. 
>>> > I use no listeners so far, but I guess they will do the job. As I
said, 
>>> > I 
>>> > store some user data on the session (name, nick, company it works 
>>> > for...) 
>>> > and this data is put on the header of every page, so if the
listener is 
>>> > called the first time the expired session is accessed, it will be
fine. 
>>> > I'll try that right now... any problem, I'll bother you again! ;-)
>>> > Thanks again! 
>>> > On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood 
>>> > wrote: 
>>> >> 
>>> >> Hi Mad, 
>>> >> 
>>> >> Are you using standard ServletContainer sessions?  or Shiro's
native 
>>> >> sessions? 
>>> >> 
>>> >> If using native sessions, ensure you're using the latest version
of 
>>> >> Shiro - a few session-related bugs were fixed over the last
month.  I 
>>> >> doubt they would be related to what you're seeing, but at least
its 
>>> >> worth a try. 
>>> >> 
>>> >> You can also set the global session timeout (for all sessions)
setting 
>>> >> sessionManager.globalSessionTimeout = desiredMilliseconds. 
>>> >> 
>>> >> Also, you could implement a
org.apache.shiro.session.SessionListener 
>>> >> to listen to session lifecycle events 
>>> >> (securityManager.setSessionListeners(Collection 
>>> >> listeners); ).  Note however that session validation (for
expiration) 
>>> >> is done lazily:  you won't receive an 'expiredSession'
notification 
>>> >> the exact instant it expires.  You'll receive the notification if
an 
>>> >> expired session is ever accessed or the next time Shiro's session
>>> >> validator executes (configurable - defaults to once per hour I
think). 
>>> >> 
>>> >> Finally, if you want to know about logins and logouts, don't use
a 
>>> >> SessionListener for this - use an 
>>> >> org.apache.shiro.authc.AuthenticationListener 
>>> >> 
>>> >> 
>>> >> (securityManager.setAuthenticationListeners(Collection 
>>> >> listeners); ). 
>>> >> 
>>> >> Regards, 
>>> >> 
>>> >> Les 
>>> >> 
>>> >> On Fri, Aug 21, 2009 at 9:49 AM, mad rug wrote: 
>>> >> > Hi 
>>> >> > I'm having some problem with my application. I use Shiro in a
Spring 
>>> >> > MVC 
>>> >> > application much like the sample included with Shiro. I use
Shiro 
>>> >> > session, 
>>> >> > and I store some logged user data in it (user ID, company that
user 
>>> >> > belongs 
>>> >> > to, etc), but sometimes my app seem to be losing its session,
like a 
>>> >> > timeout, but without long inactive periods. I notice it quickly
>>> >> > because 
>>> >> > my 
>>> >> > header pages contain the name of the user and its company name,
and 
>>> >> > they 
>>> >> > suddenly are gone, even though I remain authenticated 
>>> >> > ( 
>>> >> > still returns the user principal). 
>>> >> > I don't know where I am missing some config to make the session
last 
>>> >> > longer... how can I handle it? 
>>> >> > Moreover, does Shiro provide any facility to handle session
timeout, 
>>> >> > and 
>>> >> > maybe redirect to some warning page? 
>>> >> > Thanks! 
>>> > 
>>> > 
>> 
> 
>