Sven Moschel created SHIRO-374:
----------------------------------
Summary: Session Cookie will not be deleted on subjects logout
Key: SHIRO-374
URL: https://issues.apache.org/jira/browse/SHIRO-374
Project: Shiro
Issue Type: Bug
Components: Session Management, Subject
Affects Versions: 1.2.0
Environment: GF3.1.2, JSF
Reporter: Sven Moschel
Our web application initializes Shiro through an .ini file. Within the ini file
we set the application cookie as following:
# Cookie Management
cookie =
org.apache.shiro.web.servlet.SimpleCookie
cookie.name = AppCookie
cookie.secure = true
cookie.httpOnly = false
securityManager.sessionManager.sessionIdCookie = $cookie
Shiro runs in "native" session mode. When an user enters the application the
MyCookie and an JSESSIONID cookie will be created. The session will be
authenticated on subject.login(...). Everything works fine until the user log
out and we call subject.logout() method.
It seems that the JSESSIONID cookie will not be deleted. The value of the
cookie stays always the same, while the value(id) of our AppCookie always
change. The problem is that the user get the same session again if he log in
again. That means that the settings the user made before logout already exists
on relogin.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
