Hi Tauren, This is extremely odd. The key to these messages is here:
2010-05-13 02:06:14,767 DEBUG [org.apache.shiro.web.servlet.SimpleCookie] - Found string value [deleteMe] from Cookie [rememberMe] 2010-05-13 02:06:14,767 TRACE [org.apache.shiro.web.mgt.CookieRememberMeManager] - Acquired Base64 encoded identity [deleteMe] Basically the SimpleCookie implementation did this to delete a cookie (deleting a cookie is just setting a cookie with a maxAge=0): - get the 'rememberMe' javax.servlet.http.Cookie instance from the incoming request - use that same exact instance to set the maxAge=0 and change the value to 'delete' me - take that same instance and call response.addCookie to ensure the cookie was deleted on the outgoing response. Apparently however, that instance is not its own copy in some implementations (Wicket? Tomcat? who knows). So when we were setting that value on the request cookie to use on the outgoing response, we were overwriting the cookie value that apparently was trying to be read later on by the CookieRememberMeManager. Nasty stuff ;) So, I updated the cookie implementation to always write out 'fresh' (not shared) data to the response headers. I updated SHIRO-139 [1] to reflect this. It is all committed. Please try it out. All the exceptions in the stack trace you pasted was related to this. It should be all good to go now. Best, Les [1] https://issues.apache.org/jira/browse/SHIRO-139
