You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Matthew Piggott <mp...@sonatype.com> on 2011/11/16 23:07:50 UTC

Web Application - Stay Signed In

Hi,

We're looking at adding a 'stay logged in' function to a web application
protected by Shiro, the intent is that a user who selects this option
wouldn't be prompted for a login for a predefined period of time. We're
considering two possibilities (though obviously open for suggestions if
there are better ideas), the first is to use remember me and the second is
to extend the length of sessions.

With remember me, the generated cookie is valid indefinitely (which would
need to be changed) and a specific key should be set for the cipher service.

If we were to change length of sessions we'd lose the distinction of
authenticated/remembered, but expiration would be controlled by the server.

Would anyone have any suggestions or problems/ideas we've missed?

Thanks,

Matthew

Re: Web Application - Stay Signed In

Posted by Manoj Khangaonkar <kh...@gmail.com>.

Hi

Have you tried overriding the validate() method of SimpleSession to
check this configured
property before timing out the user. Of course, you would need to
configure your SessionManager
to use a SessionFactory that creates your implementation of Session.

For me , this would have been the obvious way. But I remember readings
posts about
a few problems encountered when people tried to override
SimpleSession. But you might
consider giving it a try.

Manoj

On Wed, Nov 16, 2011 at 2:07 PM, Matthew Piggott <mp...@sonatype.com> wrote:
> Hi,
>
> We're looking at adding a 'stay logged in' function to a web application
> protected by Shiro, the intent is that a user who selects this option
> wouldn't be prompted for a login for a predefined period of time. We're
> considering two possibilities (though obviously open for suggestions if
> there are better ideas), the first is to use remember me and the second is
> to extend the length of sessions.
>
> With remember me, the generated cookie is valid indefinitely (which would
> need to be changed) and a specific key should be set for the cipher service.
>
> If we were to change length of sessions we'd lose the distinction of
> authenticated/remembered, but expiration would be controlled by the server.
>
> Would anyone have any suggestions or problems/ideas we've missed?
>
> Thanks,
>
> Matthew
>

-- 
http://khangaonkar.blogspot.com/