Session Creation for same user

[ba...@icontel.com]

Hi Les,

I am new version (last week) of Shiro , i am using Shiro for session
management also.

While testing my prototype I found following observations Before debug
deeper I just want to answers from you:

 

1.	I opened two IE browsers and started the application and logged
in using some username., both browsers using same session, this is fine
but if I logged in with same user in different browsers (IE, firefox),
Shiro creating two different sessions at server, What is the key factor
while creating session, I expect for same principal I should have one
session at server which will be shared across multiple browsers or
clients. As sessions are maintained at server even if I use different
browsers( IE , firefox ) is it not possible to have same session for
both the browsers , if logged using same user?
2.	If I disable cookies in my browsers what is the fall back
mechanism for Shiro to handle sessions?
3.	 Now I am using native shiro session mode, If I Change native to
http mode , the timeout is not effecting. I changed the
defaultWebSessionManager to ServletContainerManager but session timeout
is not reflecting.
4.	My UI is flex so I didn't configure any Url for login. If
session expired or logged out I am redirecting / or opening a page. But
if try to login again without closing the browser ShiroFilter not
allowing me to call my remote server using blazeDS instead it throwing
an UnknowSessionException. Is it not possible to login again after
logout in the same browser?

 

 

Thanks & Regards

Balajee

 

Re: Session Creation for same user

[Les Hazlewood <lh...@apache.org>]

> I opened two IE browsers and started the application and logged in using
> some username., both browsers using same session, this is fine but if I
> logged in with same user in different browsers (IE, firefox), Shiro creating
> two different sessions at server

Sessions for web-based apps are identified by default by a session
cookie.  Naturally two different browsers won't share session cookies.
 Your application will need to transmit the session ID to the other
browser in some way.  This is typically done by 'joining' the session
from Browser A by manually setting the cookie yourself after log in.

That is:

Browser A starts the session and the session id cookie is set.
Browser B accesses the website and logs in.
You discover that there is already an open session for the user (query
your Session store) and manually set the 'JSESSIONID' cookie on the
response after login to be that session's ID.
All subsequent requests from either browser will share the same session.

This is highly unusual though.   I don't know why there would ever be
an actual application requirement to use 2 separate browser
installations accessing the same session.  It is far more common to
allow concurrent logins for the same user so a user can use 2 separate
browsers with 2 separate (but concurrent) sessions.

> If I disable cookies in my browsers what is the fall back mechanism for
> Shiro to handle sessions?

URL rewriting, supported by the servlet specification.  Shiro does
this correctly if cookies are disabled per the servlet specification,
but you, the programmer, are responsible for calling
HttpServletResponse#encodeUrl or
HttpServletResponse#encodeRedirectUrl.  Or you could JSTL Tags that
would call this for you, e.g. <c:out/>.

>  Now I am using native shiro session mode, If I Change native to http mode ,
> the timeout is not effecting. I changed the defaultWebSessionManager to
> ServletContainerManager but session timeout is not reflecting.

Session stop/expiration notifications only work when using Shiro's
'native' session mode.  Since Shiro does not manage servlet container
sessions, there is no easy way for Shiro to know when the servlet
container has expired a session.

You might want to use a HttpSessionListener for when using
ServletContainer sessions (specified in web.xml).

> My UI is flex so I didn’t configure any Url for login. If session expired or
> logged out I am redirecting / or opening a page. But if try to login again
> without closing the browser ShiroFilter not allowing me to call my remote
> server using blazeDS instead it throwing an UnknowSessionException. Is it
> not possible to login again after logout in the same browser?

The default behavior for web applications is to automatically create a
new session when encountering an expired one.  You shouldn't see an
UnknownSessionException sent to the client tier - a new session ID
cookie should be set.

After logging out, the session is invalidated and the session id
cookie is removed.  Your next request to the system would start a new
session and set a new session id cookie.  So yes, logging out and
logging back in again in the same browser works just fine.  I'm afraid
I'd need a test case to be able to see exactly what problem you're
encountering.

Regards,

Les