Shiro
  1. Shiro
  2. SHIRO-298

LogoutFilter should catch the InvalidSessionException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.2.0
    • Fix Version/s: 1.2.0
    • Component/s: Web
    • Labels:
      None

      Description

      Should catch InvalidSessionException for session timeout problem.

        Issue Links

          Activity

          Hide
          Les Hazlewood added a comment -

          How is it possible that the Session is invalid before this filter is invoked?

          The ShiroFilter that constructs the Subject instance ensures the Session is valid before the rest of the filter chain executes.

          Are you calling httpSession.invalidate() before calling Subject.logout()?

          If so, that is not necessary - Subject.logout() will invalidate the session automatically.

          Show
          Les Hazlewood added a comment - How is it possible that the Session is invalid before this filter is invoked? The ShiroFilter that constructs the Subject instance ensures the Session is valid before the rest of the filter chain executes. Are you calling httpSession.invalidate() before calling Subject.logout()? If so, that is not necessary - Subject.logout() will invalidate the session automatically.
          Hide
          Kalle Korhonen added a comment -

          Client tries to use a session that has expired already, right? There are lots of cases where some existing system invalidates user's session before Shiro, so I'd say this is valid.

          Show
          Kalle Korhonen added a comment - Client tries to use a session that has expired already, right? There are lots of cases where some existing system invalidates user's session before Shiro, so I'd say this is valid.
          Hide
          calvin xiu added a comment -

          yes, the http session is easy to expire, so the logout filter catch this exception will be better.

          Show
          calvin xiu added a comment - yes, the http session is easy to expire, so the logout filter catch this exception will be better.
          Hide
          Les Hazlewood added a comment -

          Closing with the 1.2.0 release.

          Show
          Les Hazlewood added a comment - Closing with the 1.2.0 release.

            People

            • Assignee:
              Unassigned
              Reporter:
              calvin xiu
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development