[
https://issues.apache.org/jira/browse/SHIRO-374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422321#comment-13422321
]
Sven Moschel commented on SHIRO-374:
------------------------------------
Debugged again and you are right. The JSESSIONID cookie is created by weld.
Posted an bug in their forum about this.
> Session Cookie will not be deleted on subjects logout
> -----------------------------------------------------
>
> Key: SHIRO-374
> URL: https://issues.apache.org/jira/browse/SHIRO-374
> Project: Shiro
> Issue Type: Bug
> Components: Session Management, Subject
> Affects Versions: 1.2.0
> Environment: GF3.1.2, JSF
> Reporter: Sven Moschel
> Attachments: appcookies.png
>
>
> Our web application initializes Shiro through an .ini file. Within the ini
> file we set the application cookie as following:
> # Cookie Management
> cookie =
> org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = AppCookie
> cookie.secure = true
> cookie.httpOnly = false
> securityManager.sessionManager.sessionIdCookie = $cookie
> Shiro runs in "native" session mode. When an user enters the application the
> MyCookie and an JSESSIONID cookie will be created. The session will be
> authenticated on subject.login(...). Everything works fine until the user log
> out and we call subject.logout() method.
> It seems that the JSESSIONID cookie will not be deleted. The value of the
> cookie stays always the same, while the value(id) of our AppCookie always
> change. The problem is that the user get the same session again if he log in
> again. That means that the settings the user made before logout already
> exists on relogin.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
