You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by security ml <se...@intrawave.net> on 2011/06/09 16:22:50 UTC

org.apache.shiro.session.ExpiredSessionException

Hi,

   First, thank you for your quick responses.  That is invaluable!

   I have looked for a way to check for an expired session, but did not find
one.  Is the expected usage to wait for and catch
an ExpiredSessionException?
(org.apache.shiro.session.ExpiredSessionException)


   How do you feel about being able to check the Session interface to see if
is expired?

Session session = SecurityUtils.getSubject().getSession();
boolean expired = session.isExpired();

Thank you, Michael

Re: org.apache.shiro.session.ExpiredSessionException

Posted by Les Hazlewood <lh...@apache.org>.

Hi Michael,

An isExpired() method has not existed for a while now on purpose:  I
believe that people would start to program like this everywhere in
code, for fear of being 'safe':

if (!session.isExpired()) {
    session.whatever(...)
}

That feels like it would be cumbersome to even use sessions.

Instead, the framework is configured to automatically ignore an
InvalidSessionException when a Subject instance is created in response
to a request (in a web app, Subject instances are short lived and
created at the start of the request, and cleaned up at the end of the
request).  This way, Shiro users never need to check an 'isExpired'
method because it will never be expired - it will be present if it is
not expired or null if it is expired (in which case a call to
getSession() will create a new session).

Are you seeing this problem in a non-request environment (non-web or
non-remoting)?

Best,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com