Hi Jared, You're not the first to come across this gotcha, and I think the 'sessionMode' property should be removed (or at least deprecated and an exception throw indicating why it is a bad idea).
As for a patch, I'd certainly appreciate it - it sounds logical to me, but there is a bit of a misnomer: the 'httpSessionMode' _really_ means servlet container sessions are used and Shiro's native session management is not. If you had a WebSessionManager interface and the DefaultWebSessionManager implementation implemented that interface and it returned 'false' for its isHttpSession() implementation, that'd be counter intuitive IMO (since it is actually supporting an HttpSession implementation). We're really trying to see if the servlet container is being used to support Sessions or not. Perhaps it should be renamed to 'isServletContainerSessions()' to indicate this? Thoughts? Cheers, Les
