shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sven Moschel (JIRA)" <>
Subject [jira] [Created] (SHIRO-374) Session Cookie will not be deleted on subjects logout
Date Fri, 13 Jul 2012 04:07:33 GMT
Sven Moschel created SHIRO-374:

             Summary: Session Cookie will not be deleted on subjects logout
                 Key: SHIRO-374
             Project: Shiro
          Issue Type: Bug
          Components: Session Management, Subject
    Affects Versions: 1.2.0
         Environment: GF3.1.2, JSF
            Reporter: Sven Moschel

Our web application initializes Shiro through an .ini file. Within the ini file we set the
application cookie as following:

# Cookie Management
cookie                                                      =       org.apache.shiro.web.servlet.SimpleCookie                                             =       AppCookie                                           =       true
cookie.httpOnly                                         =       false
securityManager.sessionManager.sessionIdCookie              =       $cookie 

Shiro runs in "native" session mode. When an user enters the application the MyCookie and
an JSESSIONID cookie will be created. The session will be authenticated on subject.login(...).
Everything works fine until the user log out and we call subject.logout() method. 

It seems that the JSESSIONID cookie will not be deleted. The value of the cookie stays always
the same, while the value(id) of our AppCookie always change. The problem is that the user
get the same session again if he log in again. That means that the settings the user made
before logout already exists on relogin. 

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message