You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by enabler <mm...@hotmail.com> on 2010/09/14 01:00:26 UTC

Shiro JSESSIONID issues

We are using DB backend to store our Shiro native sessions. We ran into a bug
while testing. If two different users login from the same machine (PC) via
two different browsers/sessions (irrespective of the browser type), somehow
Shiro takes last login creds as "the user creds". 

Example steps:
1) UserA login (same PC) -> IE browser 
2) UserB login (same PC) -> IE browser
3) User A saves some customized data in app. After the save, the freshly
saved  (SecurityUtil.getSubject.getPrincipal()) user information is owned by
User B (when it fact it should be User A). 

It's as if User B takes over since that is the "fresh/lastest" cookie on the
user's machine? How can we disable this from happening?


-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-JSESSIONID-issues-tp5528335p5528335.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Shiro JSESSIONID issues

Posted by Les Hazlewood <lh...@apache.org>.

Does this happen when using two different browsers?  For example, with
one IE instance and the other a Firefox instance?  If it does not,
then it must be a problem at the browser level.

Also, are you using IE 8?  I found this link, which may help:
http://blogs.msdn.com/b/ie/archive/2009/05/06/session-cookies-sessionstorage-and-ie8.aspx

Try File > New Session w/ IE8 and see if the issue still remains.
Also try with Firefox and IE to see what happens - please tell us what
you find.

Finally if you don't believe this to be IE's fault, do you have a very
simple test app that could be used to re-create this?  You could
easily use the 'web' sample application in the Shiro source
distribution but turn on native sessions and use, say, an embedded H2
database to try and re-create the relevant part of your environment.

Regards,

Les

On Mon, Sep 13, 2010 at 4:00 PM, enabler <mm...@hotmail.com> wrote:
>
> We are using DB backend to store our Shiro native sessions. We ran into a bug
> while testing. If two different users login from the same machine (PC) via
> two different browsers/sessions (irrespective of the browser type), somehow
> Shiro takes last login creds as "the user creds".
>
> Example steps:
> 1) UserA login (same PC) -> IE browser
> 2) UserB login (same PC) -> IE browser
> 3) User A saves some customized data in app. After the save, the freshly
> saved  (SecurityUtil.getSubject.getPrincipal()) user information is owned by
> User B (when it fact it should be User A).
>
> It's as if User B takes over since that is the "fresh/lastest" cookie on the
> user's machine? How can we disable this from happening?
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-JSESSIONID-issues-tp5528335p5528335.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>