shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Les Hazlewood (Commented) (JIRA)" <>
Subject [jira] [Commented] (SHIRO-340) Shiro should avoid creating sessions if one doesn't exist
Date Fri, 20 Jan 2012 20:44:40 GMT


Les Hazlewood commented on SHIRO-340:

I do like the cookie approach better than the session, for sure.  But I'd like to do the following
if possible:

Try the session first IFF it already exists and is available (getSession(false) != null) and
then fall back to the cookie if it isn't available.  My concern here is backwards compatibility:

- Other things that might look for that attribute explicitly (e.g. I don't know if the Shiro
Grails plugin, Vaadin or Wicket integration might do this or not, and I wouldn't want to break
them if they did).  Granted perhaps they shouldn't be looking for that attribute, but - just
in case.
- Another issue is for serialized sessions during a shiro upgrade (session is serialized/saved
-> shut down app -> upgrade to Shiro 1.2 -> start-up-app -> saved request not
available because the session isn't checked first).  This would have an impact on any production
environment that serializes Shiro sessions (I know of a few today that would be impacted by

This wouldn't have any effect in apps that disallow sessions, so I don't see the harm in this
approach - unless I'm missing something.
> Shiro should avoid creating sessions if one doesn't exist
> ---------------------------------------------------------
>                 Key: SHIRO-340
>                 URL:
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Web
>    Affects Versions: 1.1.0, 1.2.0
>            Reporter: Kalle Korhonen
> WebUtils.saveRequest() forces creating a session even if doesn't exist before. This hinders
scalability. For savedRequests, it's not clear session is needed at all, a cookie might be
better option for storing information in this case. Similarly, we should go through the rest
of the codebase and see if sessions are created unnecessarily.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message