[SHIRO-639] Refresh cached session in HTTP request after user logs out - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: 1.3.2
Fix Version/s: None
Component/s: Authentication (log-in), Subject, Web
Labels:
- patch
- usability
Environment:
Jetty 9.4.5, Wicket 7.7.0

Flags:

Patch

Description

For native session management in web environments, the ShiroHttpServletRequest caches calls to getSession() by saving a copy of the current subject's session to a member variable. This copy is never updated even when the subject logs out and the session is destroyed.

When the session is accessed again after logout, an UnknownSessionException can be thrown because the session referenced in the request is not physically available anymore (this could be the cause for SHIRO-614).

The Shiro HTTP request therefore has to check the state of the cached session and refresh it if necessary, just as the original Jetty Request class does as well.

Please see the attached patch for a possible solution that Works For Me™

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ShiroHttpServletRequest.patch
24/Oct/17 06:33
0.9 kB
Peter Karich

Issue Links

duplicates

SHIRO-637 Refresh cached session in HTTP request after user logs out

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Peter Karich

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 24/Oct/17 06:34

Updated:: 24/Oct/17 06:35

Resolved:: 24/Oct/17 06:35