shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manoj Khangaonkar <>
Subject Re: Web Application - Stay Signed In
Date Thu, 17 Nov 2011 20:38:17 GMT

Have you tried overriding the validate() method of SimpleSession to
check this configured
property before timing out the user. Of course, you would need to
configure your SessionManager
to use a SessionFactory that creates your implementation of Session.

For me , this would have been the obvious way. But I remember readings
posts about
a few problems encountered when people tried to override
SimpleSession. But you might
consider giving it a try.


On Wed, Nov 16, 2011 at 2:07 PM, Matthew Piggott <> wrote:
> Hi,
> We're looking at adding a 'stay logged in' function to a web application
> protected by Shiro, the intent is that a user who selects this option
> wouldn't be prompted for a login for a predefined period of time. We're
> considering two possibilities (though obviously open for suggestions if
> there are better ideas), the first is to use remember me and the second is
> to extend the length of sessions.
> With remember me, the generated cookie is valid indefinitely (which would
> need to be changed) and a specific key should be set for the cipher service.
> If we were to change length of sessions we'd lose the distinction of
> authenticated/remembered, but expiration would be controlled by the server.
> Would anyone have any suggestions or problems/ideas we've missed?
> Thanks,
> Matthew


View raw message