Shiro resets the session after 2 min
Asked Answered
A

2

5

I am using Apache Shiro in my webapp.

I store some parameters in the session notably the primary key of an object stored in the database.

When the user logs in, I load the object from the database and save the primary key in the session. Then within the app the user can edit the object's data and either hit a cancel or a save button.

Both buttons triggers a RPC that gets the updated data to the server. The object is then updated in the database using the primary key stored in the session.

If the user remains active in the app (making some RPCs) everything works fine. But if he stays inactive for 3 min and subsequently makes a RPC then Shiro's securityUtils.getSubject().getSession() returns null.

The session timeout is set to 1,200,000 ms (20 min) so I don't think this is the issue.

When I go through the sessions stored in the cache of my session manager I can see the user's session org.apache.shiro.session.mgt.SimpleSession,id=6de78f10-b58e-496c-b40a-e2a9a4ad069c but when I try to get the session ID from the cookie and to call SecurityUtils.getSecurityManager().getSession(key) to get the session (where key is a SessionKey implementation): I get an exception.

When I try building a new subject from the session ID I lose all the attributes saved in the session.

I am happy to post some code to help resolve the issue but I tried so many workarounds that I don't know where to start... So please let me know what you need.

Alternatively if someone knows a better documented framework than Shiro I am all ears (Shiro's lack of documentation makes it really too time consuming)

Arsenal answered 9/7, 2013 at 19:42 Comment(0)
A
6

The issue was related to the session config in the ini file. As usual with shiro the order mattered and some of my lines were out of place.

Below is the config that worked for me:

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
#sessionDAO.activeSessionsCacheName = dropship-activeSessionCache
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
# cookie for single sign on 
cookie = org.apache.shiro.web.servlet.SimpleCookie 
cookie.name = www.foo.com.session 
cookie.path = / 
sessionManager.sessionIdCookie = $cookie
# 1,800,000 milliseconds = 30 mins
sessionManager.globalSessionTimeout = 1800000
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 1800000
sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager.sessionManager = $sessionManager
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager 
Arsenal answered 9/7, 2013 at 23:23 Comment(1)
So what was the fix? This is not obvious from your answer, as you haven't explained what you have changed or posted the original config.Shockey
B
4

It sounds as if you have sorted out your problem already. As you discovered, the main thing to keep in mind with the Shiro INI file is that order matters; the file is parsed in order, which can actually be useful for constructing objects used in the configuration.

Since you mentioned Shiro's lack of documentation, I wanted to go ahead and point out two tutorials that I found helpful when starting: http://www.javacodegeeks.com/2012/05/apache-shiro-part-1-basics.html and http://www.ibm.com/developerworks/web/library/wa-apacheshiro/.

There are quite a few other blog posts that provide good information to supplement the official documentation if you look around.

Good luck!

Buckman answered 10/7, 2013 at 17:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.