Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-512

Race condition in Shiro's web container session timeout handling

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.2.2, 1.2.3
    • Fix Version/s: None
    • Labels:
      None

      Description

      I cannot find anywhere that Shiro uses HttpSessionListener to trap sessionDestroyed event from the container.
      I believe this is leading to a rare race condition in my application, as Shiro thinks the session is still active,
      but in reality, the web session has been destroyed.

      Code: SecurityUtils.getSubject().getPrincipal();

      Relevant bit of stack trace:

      Caused by: org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException: PWC2778: getAttribute: Session already invalidated
      at org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148)
      at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
      at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
      at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)
      at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149)

      Link to the mailing list thread:
      http://shiro-user.582556.n2.nabble.com/Possible-race-condition-in-Shiro-s-web-container-session-timeout-handling-td7580138.html

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lprimak Lenny Primak
            • Votes:
              5 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: