shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philipp Kapfer (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-637) Refresh cached session in HTTP request after user logs out
Date Mon, 23 Oct 2017 16:01:00 GMT
Philipp Kapfer created SHIRO-637:
------------------------------------

             Summary: Refresh cached session in HTTP request after user logs out
                 Key: SHIRO-637
                 URL: https://issues.apache.org/jira/browse/SHIRO-637
             Project: Shiro
          Issue Type: Bug
          Components: Authentication (log-in), Subject, Web
    Affects Versions: 1.3.2
            Reporter: Philipp Kapfer
         Attachments: ShiroHttpServletRequest.patch

For native session management in web environments, the _ShiroHttpServletRequest_ caches calls
to _getSession()_ by saving a copy of the current subject's session to a member variable.
This copy is never updated even when the subject logs out and the session is destroyed.

When the session is accessed again after logout, an {{UnknownSessionException}} can be thrown
because the session referenced in the request is not physically available anymore (this could
be the cause for [SHIRO-614|https://issues.apache.org/jira/browse/SHIRO-614]).

The Shiro HTTP request therefore has to check the state of the cached session and refresh
it if necessary, just as the original Jetty Request class does as well.

Please see the attached patch for a possible solution that Works For Me™



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message